Physical security of the HSM

This chapter provides a brief overview of the physical security measures that have been implemented to protect your nShield HSM. You are also shown how to check the physical security of your nShield HSM.

The tamper detection functionality on the nShield HSM provides additional physical security, over and above that provided by the holographic security seal, and alerts you to tampering in an operational environment. There is a removable lid on top of the nShield HSM, protected by the security seal and tamper switches. To prevent the insertion of objects into the nShield HSM, baffles are placed behind vents.

To optimize their effectiveness, use the physical security measures implemented on the nShield HSM in association with your security policies and procedures. For more information about creating and managing security policies, see the Security Policy Guide on the NIST CMVP website.

The FIPS 140 Level 3 boundary is at the internal module.

Tamper event

The nShield HSM offers several layers of tamper protection. The outer boundary of the box is tamper-responsive. When tampered, the unit ceases to provide cryptographic functionality, alerts the operator of the event, and ultimately forces the operator to reset the unit to factory defaults. Movements/vibrations, or replacing the fan tray module or a PSU, does not activate the tamper detection functionality.

If a tamper event does occur, you can use the Security World data stored on the RFS and the Administrator Card Set to recover the keys and cryptographic data.

nShield HSM lid is closed

If the nShield HSM is powered, a tamper event has occurred, and the lid is closed, the unit will automatically reset to a factory state.

Should this happen, examine your unit for physical signs of tampering (see Physical security checks).

If you discover signs of tampering do not attempt to put the unit back into operation. The date and time of the tamper event are recorded in the log (see Logging, debugging, and diagnostics).

The tamper-responsiveness circuitry has a Real Time Clock that is synchronised to the system time of the nShield HSM, however the times associated with events in the tamper log may still have slight offsets to times recorded in other log files.

If there are signs of tampering, and the tamper event occurred:

During transit from Entrust, contact Support.
After installation, refer to your security policies and procedures.

For more information about creating and managing security policies, see the Security Policy Guide.

You require a quorum of the Administrator Card Set (ACS) to restore the key data and reconnect the nShield HSM to the network.

nShield HSM lid is open

If the nShield HSM is powered, a tamper event has occurred, and the lid is open, the following message is displayed onscreen:

  Unit lid is open

An open lid indicates that the physical security of the unit is compromised. You may want to examine your unit for other physical signs of tampering (see Physical security checks). Do not attempt to put the unit back into operation.

The date and time of the tamper event are recorded in the log files (see Logging, debugging, and diagnostics). If the tamper event occurred:

During transit from Entrust, contact Support.
After installation, refer to your security policies and procedures. For more information about creating and managing security policies, see the Security Policy Guide on the NIST CMVP website.

After closing the lid you must reboot the nShield HSM. The unit will then automatically reset to a factory state. If the lid remains open, the above message will remain on the screen and all button presses are ignored.

Physical security checks

Check the physical security of your nShield HSM before installation and at regular intervals afterwards. For an alternative presentation of the physical security checks described here, see the Physical Security Checklist. For more information about tamper events, and what actions to take if you discover signs of tampering, see Tamper event.

To determine if the security of the nShield HSM is compromised:

Check that the physical security seal is authentic and intact. Look for the holographic foil bearing the nCipher logo.

Look for cuts, tears and voiding of the seal. The seal is located on the top of the nShield HSM chassis.

+ image::ROOT:user-guide/connect-security-seal.png[Location of security seal]

+ For information about the appearance of intact and damaged security seals, see the Physical Security Checklist, available on the nShield product documentation site.

Check that the metal lid remains flush with the nShield HSM chassis.
Check all surfaces — the top, bottom and sides of the nShield HSM — for signs of physical damage.
Check that there are no signs of physical damage to the vents, including attempts to insert objects into the vents.

Replacing the fans and PSU

You can replace the fans or a power supply unit (PSU) without activating a tamper event as both are outside the security boundary. You can access:

The PSU(s) from the rear of the nShield HSM.
The fans through the removable front vent.

Should a problem occur with the fans or a PSU, contact Support before taking further action. For more information about replacing the fans or a PSU, see the Fan Tray Module Installation Sheet or the Power Supply Unit Installation Sheet, available on the nShield product documentation site.

Conntect XC and nShield 5c: The fan tray module contains back-up batteries providing reserve capacity (a guaranteed minimum of 3 years) for tamper detection functionality even when the nShield HSM is in an unpowered state.

nShield 5c 10G: The battery module provides backup power for the tamper detection functionality even when the nShield HSM is in an unpowered state.

The tamper protection circuitry remains fully operational if the nShield HSM is placed on standby while a replacement operation is performed (whether you are replacing the fans or one of the two PSUs, in the case of dual PSU units).

If the nShield HSM is connected to the mains power supply, it displays an onscreen error message when back-up battery power is low.

Replacing the fan tray module (Connect XC and nShield 5c)

It is not necessary to remove mains power to replace a fan tray module.

Entrust recommends that you power down the unit into standby state using the front panel power button.

However, if mains power is removed then a replacement fan tray module must be installed within 1 hour to ensure that a tamper event is not activated.

If you put the fan tray module to stand-by state, the time required to change it is unlimited.

For more information about replacing the fan tray module, see the Fan Tray Module Installation Sheet, available on the nShield product documentation site.

Fan tray module error messages

If you receive any of the following error messages on the nShield HSM display, accompanied by the orange warning LED, follow the related action in the table below:

Error message	Action
Single fan fail	Contact Support
Many fans fail	Replace fan tray
Battery power low	Consider replacing fan tray during the next scheduled service/maintenance period.
System Shutdown Both fans in a pair had failed	Replace fan tray

Error message

Action

Single fan fail

Contact Support

Many fans fail

Replace fan tray

Battery power low

Consider replacing fan tray during the next scheduled service/maintenance period.

System Shutdown

Both fans in a pair had failed

Replace fan tray

If the error message is Single fan fail, the nShield HSM can continue operating under the specified operating environment. Although you are advised to contact Support, the limited nature of such a failure means you can replace the fan tray module at your convenience.

If the error message is Many fans fail, you must replace the fan tray module immediately.

If the error message is Battery Power low, this indicates that one or both of the backup batteries located on the fan tray module (required only when the nShield HSM is removed from mains power) is running low.

The Battery Power low indication has no detrimental affect on the nShield HSM performance whilst the unit remains powered. Entrust recommend customers should consider replacing the fan tray module during the next service/maintenance.

If two fans fail from a redundant pair, the nShield HSM will display the error message Many fans have failed for a few seconds and it will then shutdown. On reboot, the nShield HSM will then display the error messages System Shutdown and Both fans in a pair had failed. In this situation the fan tray module must be replaced immediately.

Replacing the PSU

Network-attached nShield HSMs have dual redundant power supplies. If the power to one PSU is removed or the PSU becomes faulty the remaining PSU will continue to supply power to the appliance. The faulty PSU may be hot-plugged while the appliance remains powered by the other PSU.

Tamper detection continues while the PSU is replaced.

An audible alarm sounds if a PSU is unpowered on a Connect XC or nShield 5c unit. There is no audible alarm if a PSU is unpowered on an nShield 5c 10G unit.

For more information about replacing the PSU, see the Power Supply Unit Installation Sheet, available on the nShield product documentation site.

PSU error messages

If a PSU fails, an orange warning LED comes on and an error message is displayed on the nShield HSM display. Although you are advised to contact Support, the unit can continue to operate normally and you can replace the failed PSU at your convenience. There is no need to power down the unit when you replace the failed PSU.

In addition to the orange warning LED, an audible warning is given when a PSU fails on an nShield HSM. The audible warning is turned off when you navigate to the Critical errors screen.

Battery life when storing the nShield HSM

If a nShield HSM has been in storage for an extended period of time the fan tray module may need replacement.

Entrust guarantees a minimum battery life of three years, even if the nShield HSM remains in storage and is not connected to the mains power supply during this time.