Tampering or decommissioning the HSM
A tamper event formats the secure memory of the HSM, erasing all cryptographic material, configuration, and user data. This is triggered automatically when someone attempts to tamper with the HSM in any of the following ways:
-
Removing a ProtectServer 3 PCIe from its PCIe bus.
-
Opening the ProtectServer 3 PCIe host chassis, if a chassis intrusion switch is connected (see Connecting a chassis intrusion connector to the tamper header).
-
Opening the ProtectServer 3 External or ProtectServer 3+ External appliance chassis.
This function protects your important keys in the case of physical attack on the HSM. It is also an important part of any decommissioning procedure, when the HSM has reached the end of its life cycle, or after a security-sensitive event which requires all stored data to be immediately destroyed.
Note
FMs that have been loaded onto the HSM are not deleted from the HSM after a tamper event. To delete FMs from the HSM, use the ctfm utility before tampering the HSM. For more information about deleting FMs, see ctfm.
Caution
If FMs are present on the HSM that modify login behaviour, the user will be permanently locked out of the HSM after a tamper event. To avoid an RMA, you must delete these FMs by using the ctfm utility before tampering the HSM. For more information about deleting FMs using the ctfm utility, see ctfm.
To deliberately tamper the HSM, you can use a hardware or software procedure depending on your reasons for tampering and your access to the physical HSM.
Decommission prerequisites
If you are tampering the HSM as part of a decommissioning or RMA process, and you have a ProtectServer Owner Key/Certificate (POK/POC) and/or ProtectServer Identity Key/Certificate (PIK/PIC) configured on the HSM, generate new ones before you proceed with the tamper. These keys and certificates are intended to survive a tamper event, so they must be replaced manually if that POC/PIC scheme is still in use on other ProtectServer 3 HSM that will remain in service.
-
If you have a POK/POC configured, use the procedure for Establishing a ProtectServer 3 HSM as the HSM certificate authority.
-
If you only have a PIK/PIC configured, use the procedure for Creating a PIK and self-signed PIC on a ProtectServer 3 HSM.
Hardware tamper procedures
The hardware tamper procedure is different for each variant of the ProtectServer 3 HSM hardware.
ProtectServer 3 PCIe
There are two methods of performing a hardware tamper of the ProtectServer 3 PCIe:
-
Remove the adapter from the PCIe bus.
-
Open the host chassis if a chassis intrusion switch is connected. For more information about connecting a chassis intrusion switch, see Connecting a chassis intrusion connector to the tamper header.
If you wish to remove the ProtectServer 3 PCIe from the host PCIe bus without triggering a tamper event, see Using Transport Mode to Avoid a Board Removal Tamper.
ProtectServer 3 External
The ProtectServer 3 External appliance has a keyed tamper lock on the rear panel (see Tamper Lock).
To hardware tamper the ProtectServer 3 External
-
Insert the tamper key into the tamper lock and turn it to the vertical (Tamper) position.
All tokens, key material, and user configuration on the HSM are destroyed.
-
If you wish to re-initialize the HSM for continued use, turn the Tamper key back to the horizontal (Active) position.
-
If you are decommissioning the ProtectServer 3 External, perform a factory reset of the appliance configuration. For more information, refer to Resetting the appliance to factory settings.
ProtectServer 3+ External
The ProtectServer 3+ External has a tamper button on the rear panel (see item G shown in ProtectServer 3+ External Rear Panel).
To hardware tamper the ProtectServer 3+ External
-
Press the tamper button on the back of the ProtectServer 3+ External appliance. Pressing the Tamper button flags the HSM to be placed in a tamper state. At this point, all keys and tokens still exist on the HSM and running applications will work normally.
-
Log on to PSESH as admin or pseoperator and restart the appliance.
psesh:>sysconf appliance reboot
After the restart, the HSM is tampered and erased.
-
If you are decommissioning the ProtectServer 3+ External, perform a factory reset of the appliance configuration. For more information, refer to Resetting the appliance to factory settings.
Software tamper procedure
You can also tamper the HSM using the ctconf utility. However, the following constraints apply:
-
Only the administrator can tamper the HSM, due to the highly destructive nature of this action.
-
All sessions must be closed before performing a software tamper and no user should be accessing the HSM during a software tamper procedure.
The tamper procedure is the same regardless of the HSM variant. If you are performing a tamper as part of decommissioning a ProtectServer 3 External appliance, you must also factory reset the appliance configuration.
To tamper the HSM using software
-
Use the ctconf utility to trigger the tamper event:
The administrator is prompted for their PIN and to confirm the action. Notification of success or failure is displayed.
-
If you are decommissioning a ProtectServer 3 External or ProtectServer 3+ External, perform a factory reset of the appliance configuration. For more information, refer to Resetting the appliance to factory settings.
