Manual Chapter : Remove sensitive data from an embedded hardware security module (HSM)

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 12.1.4, 12.1.3

BIG-IP APM

  • 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 12.1.4, 12.1.3

BIG-IP Analytics

  • 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 12.1.4, 12.1.3

BIG-IP LTM

  • 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 12.1.4, 12.1.3

BIG-IP AFM

  • 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 12.1.4, 12.1.3

BIG-IP PEM

  • 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 12.1.4, 12.1.3

BIG-IP DNS

  • 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 12.1.4, 12.1.3

BIG-IP ASM

  • 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 12.1.4, 12.1.3
Manual Chapter

Remove sensitive data from an embedded hardware security module (HSM)

If the system includes an embedded hardware security module (HSM), also referred to as a FIPS card, you can remove the sensitive customer data from HSM before returning it to F5.
The HSM cannot be removed from the platform.
  1. Log in to the command line of the system using an account with root access.
  2. Delete all key/certificate pairs.
    tmsh sys crypto cert delete all
    This removes all
    .crt
    ,
    .exp
    , and
    .key
    files from the system.
  3. Initialize the HSM and reconfigure it using fictitious data.
    run util fips-util -f init
    The
    -f
    option forces initialization, which deletes all user-generated keys.
    For more information on using this command on a FIPS platform, see
    BIG-IP® Platform: FIPS Administration
    .
    This deletes all keys and makes any previously exported keys unusable.