HSM Emergency Decommission Button

The Luna Network HSM 7 appliance includes a way to decommission the HSM, or permanently deny access to all objects on it, without need for either a serial console or a remote (SSH) connection.

To directly decommission the HSM (cryptographic module) inside the Luna Network HSM 7 appliance, press and release the small red button on the rear panel.

>The appliance does not need to be powered on.

>The appliance does not need to have power cables connected.

You will need a small screwdriver or other tool to reach the Emergency Decommission button. This is intentional, to prevent accidental pressing of that button.

What the Emergency Decommission Button Does

When you press the Decommission button, all partitions and their contents are deleted, as well as the audit role, and the audit configuration. The HSM policy settings are retained.

To bring the HSM back into service, you need to:

1. Reinitialize the HSM

2.Reinitialize the audit role and reconfigure auditing

3. Recreate the partitions

4.Reinitialize the partition roles

Event Summary

Here is what you would observe after the button is depressed:

>The LCD on the appliance front panel freezes. Communication to the internal HSM card is blocked, as is the software process that polls the HSM for status.

>At this point, you must power cycle the Luna Network HSM 7 appliance by depressing the momentary-contact START/STOP switch on the back panel of the system.

>After restarting, writes a tamper log message to the messages syslog.

>lunash:> hsm show displays the text Manually Zeroized: Yes, to signify that the system executed the decommission process.

>The HSM must be re-initialized (lunash:> hsm init) before you can begin using it again.

Comparison Summary

View a table that compares and contrasts the "Emergency Decommission" event with other deny access events or actions that are sometimes confused: Comparison of Destruction/Denial Actions.

Disabling Decommissioning

You can disable the decommissioning feature if you have the factory-installed HSM Capability 46: Allow Disable Decommission (see HSM Capabilities and Policies). The primary reason for disabling decommissioning is to prevent the HSM from being automatically decommissioned due to loss of battery (see Tamper Events). If decommissioning is disabled, you can continue to use the Luna Network HSM 7 after the battery has been depleted, but this is not recommended by Thales.

To disable decommissioning

Set HSM Policy 46: Disable Decommission to 1(ON).

lunash:> hsm changePolicy-policy 46 -value 1

When to Use the Emergency Decommission Button

The primary purpose of the decommission button is for a situation where the appliance is not responding, you wish to send it back to Thales, but you need a way to permanently prevent access to material contained within the HSM. You might find other uses, in your organization.

What to do after decommission if the Luna Network HSM 7 is being returned to Thales

1.Obtain a Return Material Authorization and shipping instructions from Thales, if you have not already done so.

2.Pack the appliance and ship it to Thales.



	SUPPORT	LEGAL
Luna Network HSM 7 Documentation © Copyright 2001-2024, Thales Group Last Updated: 2024-04-25 14:41:06 GMT-04:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information