Recovery mode

Recovery mode

nShield HSMs are loaded with two different firmware images:

  • The primary image.

  • A recovery image.

During normal operation, the HSM is running firmware that is loaded from the primary image.

If required, the HSM can be forced into recovery mode to run firmware loaded from the recovery image. Entry into recovery mode performs the same actions as hsmadmin factorystate

Recovery mode is useful in the following cases:

Restrictions in recovery mode

The main purpose of recovery mode is to allow essential maintenance activities that are not possible in primary mode.

When in recovery mode, the ncoreapi service does not run. Only the platform services are available, meaning that only the commands described in Administration of platform services are available.

Commands that make use of the ncoreapi service do not run and may show error messages.

Entry into recovery mode

Boot the HSM into recovery mode by holding down the recovery mode button on the back panel of the HSM whilst rebooting. See the appropriate Installation Guide for your nShield HSM for the location of the recovery mode button. This button is non-latching and must be held down for at least 60s after the reboot has been initiated. The reboot may be triggered either by hsmadmin reset or by power cycling the host machine containing the HSM.

Booting into recovery mode performs the same actions as hsmadmin factorystate. You must run hsmadmin enroll after the boot has completed before any further actions can be performed.

Run hsmadmin status to verify that the HSM is in recovery mode.

Exit from recovery mode

Exit recovery mode by booting the HSM without the recovery mode button held down. If the firmware is changed whilst in recovery mode using hsmadmin upgrade, the unit automatically reboots.

When the unit next boots into primary mode it will be in factory state. You must run hsmadmin enroll again before any further actions can be performed.

Run hsmadmin status to verify that the HSM is in the correct mode.