Tampering or Decommissioning the HSM

A tamper event formats the secure memory of the HSM, erasing all cryptographic material, configuration, and user data. This is triggered automatically when someone attempts to tamper with the HSM in any of the following ways:

>Removing a ProtectServer PCIe 2 from its PCIe bus.

>Opening the ProtectServer PCIe 2 host chassis, if a chassis intrusion switch is connected (for more information about connecting a chassis intrusion switch, see The Tamper-Input Header).

>Opening the ProtectServer External 2 or ProtectServer External 2 Plus appliance chassis.

This function protects your important keys in the case of physical attack on the HSM. It is also an important part of any decommissioning procedure, when the HSM has reached the end of its lifecycle, or after a security-sensitive event which requires all stored data to be immediately destroyed.

NOTE   FMs that have been loaded onto the HSM are not deleted from the HSM after a tamper event. To delete FMs from the HSM, use the ctfm utility before tampering the HSM. For more information about deleting FMs using the ctfm utility, see ctfm.

CAUTION!    If FMs are present on the HSM that modify login behaviour, the user will be permanently locked out of the HSM after a tamper event. To avoid an RMA, you must delete these FMs by using the ctfm utility before tampering the HSM. For more information about deleting FMs using the ctfm utility, see ctfm.

To deliberately tamper the HSM, you can use a hardware or software procedure depending on your reasons for tampering and your access to the physical HSM.

Hardware Tamper Procedures

The hardware tamper procedure is different for each variant of the ProtectServer 2 HSM hardware.

ProtectServer PCIe 2 HSM

There are two methods of performing a hardware tamper of the ProtectServer PCIe 2:

> Remove the adapter from the PCIe bus.

>Open the host chassis if a chassis intrusion switch is connected. For more information about connecting a chassis intrusion switch, see The Tamper-Input Header.

If you wish to remove the ProtectServer PCIe 2 from the host PCIe bus without triggering a tamper event, see Using Transport Mode to Avoid a Board Removal Tamper.

ProtectServer External 2 HSM

The ProtectServer External 2 appliance has a keyed tamper lock on the rear panel (see ProtectServer External 2 rear panel).

To hardware tamper the ProtectServer External 2 HSM

1.Insert the tamper key into the tamper lock and turn it to the vertical (Tamper) position.

All tokens, key material, and user configuration on the HSM are destroyed.

2.If you wish to re-initialize the HSM for continued use, turn the tamper key back to the horizontal (Active) position.

3.If you are decommissioning the appliance, log in to PSESH as admin and perform a factory reset of the appliance configuration:

psesh:>sysconf appliance factory

ProtectServer External 2 Plus HSM

The ProtectServer External 2 Plus has a tamper button on the rear panel (see Rear panel view).

To hardware tamper the ProtectServer External 2 Plus HSM

1.Press the tamper button on the back of the ProtectServer External 2 Plus appliance. Pressing the Tamper button flags the HSM to be placed in a tamper state. At this point, all keys and tokens still exist on the HSM and running applications will work normally.

2.Log in to PSESH as admin or pseoperator and reboot the appliance.

psesh:> sysconf appliance reboot

After the reboot, the HSM is tampered and erased.

3.If you are decommissioning the appliance, log in to PSESH as admin and perform a factory reset of the appliance configuration:

psesh:>sysconf appliance factory

Software Tamper Procedure

You can also tamper the HSM using the ctconf utility. However, the following constraints apply:

> Only the administrator may tamper the HSM, due to the highly destructive nature of this action.

> All sessions must be closed before performing a software tamper and no user should be accessing the HSM during the software tamper procedure.

The tamper procedure is the same regardless of the HSM variant. If you are performing a tamper as part of decommissioning a ProtectServer External 2 appliance, you must also factory reset the appliance configuration.

To tamper the HSM using software

1.Use the ctconf utility to trigger the tamper event:

ctconf -x

The Administrator is prompted for their PIN and to confirm the action. Notification of success or failure is displayed.

2.If you are decommissioning a ProtectServer External 2 or ProtectServer External 2 Plus appliance, log in to PSESH as admin and perform a factory reset of the appliance configuration:

psesh:>sysconf appliance factory