Erase cards and softcards

Erasing a card or softcard removes all the secret information from the card or softcard and deletes information about the card or softcard from the host.

In the case of an OCS that uses nShield Remote Administration Cards, it is possible to reformat the cards at any time using slotinfo --ignoreauth. In the case of an OCS that uses standard nShield cards, it is only possible to erase or format the cards within the Security World in which they were created.

You can erase Operator Cards using

  • the unit front panel (only network-attached HSMs)

  • KeySafe

  • createocs

You can also use these methods to erase Administrator Cards other than those in the current Security World’s ACS (for example, you could use these methods to erase the remaining Administrator Cards from an incomplete set that has been replaced or Administrator Cards from another Security World).

None of these tools erases cards from the current Security World’s ACS.

If you erase an Operator Card that is the only card in an OCS, information about the card set is deleted. However, if you erase one card from an OCS of multiple cards, you must remove the card information from the opt/nfast/kmdata/local/ (Linux) or %NFAST_KMDATA\local% (Windows) directory after you have erased the last card.

You can erase an entire card set at one time with the KeySafe Remove OCS! feature. For more information, see List an Operator Card Set.

FIPS 140 Level 3-compliant Security Worlds

When you attempt to erase cards for a Security World that complies with FIPS 140 Level 3, you are prompted to insert an Administrator Card or Operator Card from an existing set. You may need to specify to the application the slot you are going to use to insert the card. You need to insert the card only once in a session. You can therefore use one of the cards that you are about to erase.

Erase card sets using an nShield network-attached HSM front panel

To erase a card set using the front panel, follow this procedure:

  1. From the main menu select: Security World mgmt > Card operations > Erase card

  2. Insert the card set that you want to erase. The card is read.

  3. You are asked to confirm that you want to erase this card from the card set.

  4. To confirm, press the right-hand navigation button.

  5. You are asked once again if you want to erase this card.

  6. To confirm, press the right-hand navigation button.

Erase cards with KeySafe

To erase a card using KeySafe use the following procedure:

  1. Start KeySafe. (For an introduction to KeySafe and information on starting the software, see Using KeySafe.)

  2. Click the Card Sets menu button. KeySafe takes you to the Card Operations panel.

  3. Click the Examine/Change Card navigation button. KeySafe takes you to the Examine/Change Card panel.

  4. Insert the card that you want to erase into the reader.

  5. Click the Erase Card button. You do not need to supply the passphrase (if there is one) to erase an Operator Card.

  6. KeySafe asks you to confirm that you want to erase this card. If you are sure that you want to erase it, click the Yes button.

    Erasing a card does not erase the keys protected by that card. The keys are still listed on the keys panel but are unusable.

    If you erase an Operator Card that is the only card in an OCS, KeySafe deletes information about that card set. However, if you erase one card from an OCS of multiple cards, you must remove the card information from opt/nfast/kmdata/local (Linux) or %NFAST_KMDATA\local% (Windows) after you have erased the last card.

  7. After erasing a card, KeySafe displays a dialog to confirm that the card has been erased. Click OK to continue using KeySafe.

    You can erase an entire card set at one time with the KeySafe Discard Card Set(s) feature.

Erase cards using the command line

To erase a card from the command line, run the command:

createocs -m|--module=<MODULE> -e|--erase

If you have more than one card reader and there is more than one card available, createocs prompts you to confirm which card you wish to erase. Use [Ctrl][X] to switch between cards.

If you have created a FIPS 140 Level 3 compliant Security World, you must provide authorization in order to erase or create Operator Cards. You can obtain this authorization from any card in the ACS or from any Operator Card in the current Security World, including cards that are to be erased. After you insert a card containing this authorization, createocs prompts you to insert the card to be erased.

As an alternative, you can reformat using slotinfo --format.

Erase softcards

Erasing a softcard deletes all information about the softcard from the host. You can erase softcards using KeySafe or with the ppmk command-line utility.

Erase softcards with KeySafe

To erase softcards with KeySafe:

  1. Start KeySafe.

  2. Click the Softcards menu button. KeySafe takes you to the Softcard Operations panel.

  3. Select the softcard you want to erase from the list.

  4. Click the Discard Softcard button.

  5. KeySafe asks you to confirm that you want to erase this card. Click Yes to confirm.

  6. After erasing a softcard, KeySafe displays a dialog box to confirm that the card has been erased. Click OK to continue using KeySafe.

Erasing softcards with ppmk

To erase a softcard with ppmk, open a command window, and give the command:

ppmk --delete <NAME>|<IDENT>

In this command, you can identify the softcard to be erased either by its name (NAME) or by its logical token hash as listed by nfkminfo (<IDENT>).

If you are working within a FIPS 140 Level 3 compliant Security World, you must provide authorization to erase softcards; ppmk prompts you to insert a card that contains this authorization. Insert any card from the ACS or any Operator Card from the current Security World.

If you insert an Administrator Card from another Security World or an Operator Card that you have just created, ppmk displays an error message and prompts you to insert a card with valid authorization. When ppmk has obtained the authorization from a valid card or if no authorization is required, it completes the process of erasing the softcard.