Remove modules and delete Security Worlds

Erase a module from a Security World

Erasing a module from a Security World deletes from the module all of the secret information that is used to protect your Security World. This returns the module to the factory state. Provided that you still have the ACS and the host data, you can restore the secrets by adding the module to the Security World.

Erasing a module removes any data stored in its nonvolatile memory (for example, data for an SEE program or NVRAM-stored keys). To preserve this data, you must back it up before erasing the module. We provide the nvram-backup utility to enable data stored in nonvolatile memory to be backed up and restored.

You do not need the ACS to erase a module. However, unless you have a valid ACS and the host data for this Security World, you cannot restore the Security World after you have erased it.

After you have erased a module, it is in the same state as when it left Entrust (that is, it has a random module key and a known KNSO).

(PCIe and USB HSMs) In order to erase a module, you must:

  • Be logged into your computer as root (Linux) or as a user who is permitted to create privileged connections (Windows).

  • Have started the module in the pre-initialization mode.

(nShield 5s) If you are physically removing the module from the machine where it is installed, run hsmadmin enroll after removing the module. This refreshes the list of nShield HSM modules currently installed on the machine.

Erasing a module from the unit front panel (network-attached HSMs)

To erase a module from a Security World, from the main menu, select Security World mgmt > Module initialization > Erase Security World.

When you erase a Security World in this way, the Security World files remain on the remote file system. Delete these files if you wish to remove Security World completely. For more information, see Security World Files.

Erase a module with new-world

The new-world command-line utility can erase any modules that are in the pre-initialization mode.

To erase modules with the new-world utility, run the command:

new-world [-e|--factory] [-m|--module=<MODULE>]

If new-world successfully erased a module, it displays a message that it restored the module to factory state.

For more information, see new-world.

Erase a module with KeySafe

You can erase a module on a server with KeySafe by following these steps:

  1. Start KeySafe. (For an introduction to KeySafe and information on starting the software, see Using KeySafe.)

  2. Click the World menu button, or select World from the Manage menu. KeySafe takes you to the World Operations panel.

  3. Click the Erase Module button. KeySafe takes you to the Erase Module panel.

  4. Select the module that you want to erase by clicking its listing on the Security world status tree, then click the Commit command button.

    KeySafe erases all secrets from the module, returning it to its factory state.

If you have any keys that were protected by an erased module, you cannot access them unless you restore these secrets. You cannot restore these secrets unless you have the appropriate ACS.

Erase a module with initunit

The initunit command-line utility erases any modules that are in the pre-initialization state.

To erase modules with the initunit utility, run the command:

initunit [-m|--module=<MODULE>] [-s|--strong-kml]

In the initunit command, --module=<MODULE> specifies the ID of the module you want to erase. If you do not specify this option, all modules in the pre-initialization state are erased. --strong-kml specifies that the module generates an AES (SP800-131A) module signing key, rather than the default key.

The --disablepkcs1pad option will only work on SP800-131A Security Worlds.

Output

If initunit is successful, for each module that is in the pre-initialization state, it returns a message similar to this:

 Initialising Unit
># Setting dummy HKNSO Module Key Info:
 HKNSO
>################### HKM
>###################

Otherwise, initunit returns an error message.

Replacing an existing Security World (network-attached HSMs)

When you erase a Security World from the module’s front panel, all long-term key material is deleted from the module’s memory and all Security World data is removed from the module’s internal file system.

This operation does not remove any files from the remote file system or client machines. You should remove the files manually from the /opt/nfast/kmdata/local (Linux) or %NFAST_KMDATA%\local (Windows) directory on the remote file system and any client computers to which the Security World was copied.

Any Operator Cards created in a previous Security World cannot be used in the new Security World. If you are replacing a Security World, you must erase all the Operator Cards created in the previous Security World before you create the new Security World. See Erasing cards and softcards.

Deleting a Security World

You can remove an existing Security World and replace it with a new one if, for example, you believe that your existing Security World has been compromised. However:

  • You are not able to access any keys that you previously used in a deleted Security World

  • It is recommended that you reformat any nShield Remote Administration Cards that were used as Operator Cards within this Security World before you delete it. For more information about reformatting (or erasing) Operator Cards, see Erasing cards and softcards.

Except for nShield Remote Administration Cards, if you do not reformat the smart cards used as Operator Cards before you delete your Security World, you must throw them away because they cannot be used, erased, or reformatted without the old Security World key.
You can, and should, reuse the smart cards from a deleted Security World’s ACS. If you do not reuse or destroy these cards, then an attacker with these smart cards, a copy of your data (for example, a weekly backup) and access to any nShield key management HSM can access your old keys.

To delete an existing Security World:

  1. Remove all the HSMs from the Security World.

  2. Delete the Security World data files, see Security World Files.

    There may be copies of the Security World data archive saved on your backup media. If you have not reused or destroyed the old ACS, an attacker in possession of these cards could access your old keys using this backup media.
    If audit logging was enabled for the Security World then audit logs can still be verified provided that the audit log data is maintained as this contains all the information needed to verify the logs. For further information see Audit Logging.

Deleting the Security World using the nShield HSM front panel (network-attached HSMs)

When you erase a Security World using the unit front panel, all long-term key material is deleted from the HSM’s memory and all Security World data is removed from the HSM’s internal file system.

  • You will not be able to access any of the keys that you have previously used

  • Before you remove an old Security World, you must reformat any smart cards that were used previously as Operator Cards within this Security World.

If you do not reformat the smart cards used as Operator Cards before you reinitialize your HSM, you must throw them away because they cannot be used, erased, or reformatted without the old Security World key.

You can, and should, reuse the smart cards from the old ACS. If you do not reuse or destroy these cards, then an attacker with these smart cards, a copy of your data (for example, a weekly backup) and access to any nShield key management HSM, can access your old keys.

To erase a Security World using the front panel of the unit, from the main menu select Security World mgmt > Module initialization > Erase Security World.

This operation does not remove any files from the RFS or client machines. You should remove the files manually from the /opt/nfast/kmdata/local (Linux) or %NFAST_KMDATA%\local (Windows) directory on the RFS and any client computers to which the Security World was copied.