Erase cards and softcards

Erasing a card or softcard removes all the secret information from the card or softcard and deletes information about the card or softcard from the host.

In the case of an OCS that uses nShield Remote Administration Cards, it is possible to reformat the cards at any time using slotinfo --ignoreauth. In the case of an OCS that uses standard nShield cards, it is only possible to erase or format the cards within the Security World in which they were created.

You can erase Operator Cards using

  • the unit front panel (only network-attached HSMs)

  • createocs

You can also use these methods to erase Administrator Cards other than those in the current Security World’s ACS (for example, you could use these methods to erase the remaining Administrator Cards from an incomplete set that has been replaced or Administrator Cards from another Security World).

None of these tools erases cards from the current Security World’s ACS.

If you erase an Operator Card that is the only card in an OCS, information about the card set is deleted. However, if you erase one card from an OCS of multiple cards, you must remove the card information from the opt/nfast/kmdata/local/ (Linux) or %NFAST_KMDATA\local% (Windows) directory after you have erased the last card.

FIPS 140 Level 3-compliant Security Worlds

When you attempt to erase cards for a Security World that complies with FIPS 140 Level 3, you are prompted to insert an Administrator Card or Operator Card from an existing set. You may need to specify to the application the slot you are going to use to insert the card. You need to insert the card only once in a session. You can therefore use one of the cards that you are about to erase.

Erase card sets using an nShield network-attached HSM front panel

To erase a card set using the front panel, follow this procedure:

  1. From the main menu select: Security World mgmt > Card operations > Erase card

  2. Insert the card set that you want to erase. The card is read.

  3. You are asked to confirm that you want to erase this card from the card set.

  4. To confirm, press the right-hand navigation button.

  5. You are asked once again if you want to erase this card.

  6. To confirm, press the right-hand navigation button.

Erase cards using the command line

To erase a card from the command line, run the command:

createocs -m|--module=<MODULE> -e|--erase

If you have more than one card reader and there is more than one card available, createocs prompts you to confirm which card you wish to erase. Use [Ctrl][X] to switch between cards.

If you have created a FIPS 140 Level 3 compliant Security World, you must provide authorization in order to erase or create Operator Cards. You can obtain this authorization from any card in the ACS or from any Operator Card in the current Security World, including cards that are to be erased. After you insert a card containing this authorization, createocs prompts you to insert the card to be erased.

As an alternative, you can reformat using slotinfo --format.

Erase softcards

Erasing a softcard deletes all information about the softcard from the host. You can erase softcards with the ppmk command-line utility.

Erasing softcards with ppmk

To erase a softcard with ppmk, open a command window, and give the command:

ppmk --delete <NAME>|<IDENT>

In this command, you can identify the softcard to be erased either by its name (NAME) or by its logical token hash as listed by nfkminfo (<IDENT>).

If you are working within a FIPS 140 Level 3 compliant Security World, you must provide authorization to erase softcards; ppmk prompts you to insert a card that contains this authorization. Insert any card from the ACS or any Operator Card from the current Security World.

If you insert an Administrator Card from another Security World or an Operator Card that you have just created, ppmk displays an error message and prompts you to insert a card with valid authorization. When ppmk has obtained the authorization from a valid card or if no authorization is required, it completes the process of erasing the softcard.