Resetting a CipherTrust Manager

In some scenarios, you might wish to reset a CipherTrust Manager, deleting its data and restoring to a fresh state. There are a few ways to reset, depending on your access permissions to the CipherTrust Manager.

• If you have completed full initialization of the appliance and can log in to the CLI or the REST API as the root Admin, those interfaces are preferred.

• If you can access the CipherTrust Manager through SSH or serial console, and login as the ksadmin user, you can use the kscfg system configuration utility to perform a system reset or system factory reset.

• If you have serial access to a physical CipherTrust Manager but cannot login as ksadmin, you can perform a zero knowledge factory reset.

Reset Through REST API or CLI

In the REST API, the root admin can use POST with /v1/system/services/reset to wipe all the data in CipherTrust Manager. You can optionally include "delay":integerin the request body to set a delay in seconds. The default delay is 5 seconds.

In the ksctl CLI, the root admin can run ksctl services reset to wipe all the data in CipherTrust Manager. You can optionally include the --delay flag to set a delay in seconds. The default delay is 5 seconds.

System Reset

The kscfg system reset command can be used to perform a hard reset of the CipherTrust Manager.

This destructive operation wipes all data on the CipherTrust Manager and should be used with care.

Normally, the REST API or the CLI should be used for performing the reset. This method of performing the reset should be used as a last resort. This operation deletes all backup keys and the HSM configuration. It is good practice to do the following before running this command:

1. Create and download a backup of the database.

2. Download all the backup keys. Any backups downloaded from this device will not be useful without the backup keys.

Usage

kscfg system reset [flags]

Flags:

-f, --force   When this flag is set, any errors encountered during reset are ignored, and the reset procedure
              continues to the end. This flag must be used with care as it could place the system in an unuseable state. It
              should be used when all else fails.

-h, --help    help for reset

-y, --yes     When this flag is set, all user prompts during the reset process are skipped. A default value
              of 'yes' is used as the automatic response to all prompts.

Examples

kscfg system reset [-f] [-y]

Response:

    This will perform a full reset of the ${cm} services.
    WARNING - This is a destructive operation and will wipe all data in the ${cm}.
    It will delete all backupkeys and the HSM configuration.
    Normally, the REST API or the CLI should be used for performing the reset.
    THIS METHOD OF PERFORMING THE RESET SHOULD BE USED AS A LAST RESORT.
    It is good practice to perform the following steps prior to running this command:
       1. Create and download a backup of the database.
       2. Download all the backupkeys; any backups downloaded from this device will not be useful without the backupkeys.
    Do you want to continue? [y/N] y
    This will take some time, please wait
    Device reset has started. It will take a few minutes to complete.

System Factory Reset

The kscfg system factory-reset can be used on k470 and k570 appliance models to revert the system to its factory defaults.

This destructive operation wipes all data on the CipherTrust Manager, including keys, backups, backup keys, system configuration, and logs. It automatically reboots the appliance twice, before booting to the factory firmware version. The appliance's factory version may be below the currently running version. Several upgrades may be required to return to the currently running version. Do not manually power-off or reset the appliance while the factory-reset is in progress. This command must be used with care.

This command expects the host-daemon system service to be up and running. However, if the host-daemon is not running or not in a good state, the factory-reset can be invoked from command line as ksadmin user by executing "sudo /opt/keysecure/ks_reset_to_factory.sh".

If you have a k570 appliance with embedded PCIe HSM, this command does not reset the HSM and the root of trust keys. This allows you to restore a previous CipherTrust Manager backup taken on the appliance. However, if you performed the factory reset to return the appliance to a fresh security state, and you don't intend to restore a backup, we strongly recommend resetting and re-initializing the HSM to create new root of trust keys. You reset the HSM using the lunaCM command “hsm factoryReset” and then re-initialize following the same HSM configuration process as used during first deployment.

Usage

kscfg system factory-reset [flags]

Flags:

-h, --help    help for factory-reset

-y, --yes     When this flag is set, all user prompts during the reset process are skipped. A default value
              of 'yes' is used as the automatic response to all prompts.

Examples

kscfg system factory-reset [-y]

Response:

WARNING: This operation will revert the system to its factory defaults !!!

    (1) This is a destructive operation that erases all CipherTrust Manager data including but not limited to keys, backups, backup keys, and system logs.
    (2) Ensure that you have a valid CipherTrust Manager backup of all the data and backup key.
    (3) If embedded HSM is available, it will not be reset as part of this operation.
    Re-initialization of embedded HSM is highly recommended after this operation to configure it as the root of trust.
    (4) If remote PED was used, it must be re-connected after completion.
    (5) This operation may take up to 15 minutes. Make sure you have power backup in place.
    (6) Access to the system will be unavailable. DO NOT restart the system during this time.
    (7) This operation includes multiple system reboot.
    (8) This operation CANNOT be undone.

Do you want to continue?

[y/N]

Adding Connector Licenses After System Reset

System reset changes the Connector Lock Code for the CipherTrust Manager. After system reset, any license files based on that earlier Connector Lock Code cannot be added. You can restore the earlier Connector Lock Code from a backup, or by adding the reset CipherTrust Manager node into a cluster with the earlier Connector Lock Code. Then, these license files can be added. As well, backup restore and cluster replication include previously installed licenses.

Zero Knowledge Factory Reset

This way of resetting an appliance requires no authentication. Zero knowledge factory reset is available for physical appliances only. To protect from misuse, this feature requires serial access to the appliance, and contact with Thales customer support.

This destructive operation wipes all data on the CipherTrust Manager, including keys, backups, backup keys, system configuration, and logs. It automatically reboots the appliance twice, before booting to the factory firmware version. The appliance's factory version may be below the currently running version. Several upgrades may be required to return to the currently running version. Do not manually power-off or reset the appliance while the factory-reset is in progress. This command must be used with care.

1. Open a serial connection to the appliance.

2. At the ciphertrust login: prompt enter factoryreset

   You are presented with the following options:

   Options:
   1. Initiate factory reset by generating a challenge from this system
   2. Input response and perform factory reset
   

3. Enter 1 to generate a challenge request.

   Your choice: 1
   Copy the following request to CipherTrust Manager support:
   <challenge_request_string>
   

4. Copy the challenge string and send it to Thales customer support.

5. Press ENTER in the serial session to return to the previous options.

6. Once you have received a response text from customer support, enter 2 to input the response.

   Your choice: 2
   Paste response text from support (end with an empty line):
   <support_response_string>
   

   The following warning is displayed:

   WARNING: This operation will revert the system to its factory defaults !!!
       (1) This is a destructive operation that erases all CipherTrust Manager data including but not limited to keys, backups, backup keys, and system logs.
       (2) Ensure that you have a valid CipherTrust Manager backup of all the data and backup key.
       (3) If embedded HSM is available, it will not be reset as part of this operation.
       Re-initialization of embedded HSM is highly recommended after this operation to configure it as the root of trust.
       (4) If remote PED was used, it must be re-connected after completion.
       (5) This operation may take up to 15 minutes. Make sure you have power backup in place.
       (6) Access to the system will be unavailable. DO NOT restart the system during this time.
       (7) This operation includes multiple system reboot.
       (8) This operation CANNOT be undone.
   

7. Type proceed to continue with the reset.