Futurex Usb backup hsm User manual

USBBACKUP HSM

User Guide

Applicable Devices:

Vectera Plus

Guardian Series 3

KMES Series 3

RKMS Series 3

THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION PROPRIETARY TO FUTUREX, LP. ANY UNAUTHORIZED USE, DISCLOSURE,

OR DUPLICATION OF THIS DOCUMENT OR ANY OF ITS CONTENTS IS EXPRESSLY PROHIBITED.

USER GUIDE | USBBACKUP HSM

Page 2of 31

TABLE OF CONTENTS

[1] DOCUMENT INFORMATION 3

[1.1] DOCUMENT OVERVIEW 3

[1.2] APPLICATION DESCRIPTION 3

[1.3] COPYRIGHT AND TRADEMARK NOTICES 3

[1.4] TERMS OF USE 3

[2] HARDWARE SPECIFICATIONS 4

[3] INITIAL SETUP AND USE 5

[3.1] ADMIN PINAND ADMIN MODE 5

[3.2] LOCKING THE DEVICE 6

[3.3] UNLOCKING THE DEVICE 6

[3.4] SETTING A MINIMUM PINLENGTH 6

[3.5] FORMATTING THE USBBACKUP HSM 7

[4] USER PIN SETUP AND MANAGEMENT 8

[4.1] ADMIN-GENERATED USER PIN 8

[4.2] CREATING FORCED ENROLLMENT STATE ALLOWING USER TO GENERATE USER PIN 8

[4.3] CHANGING THE USER PIN 8

[4.4] DELETING THE USER PIN 9

[5] SECURITY SETTINGS 10

[5.1] SELF-DESTRUCT PIN 10

[5.2] BRUTE-FORCE PROTECTION 11

[5.3] UNATTENDED AUTO-LOCK 11

[6] SPECIAL MODES 13

[6.1] ONE-TIME-USE RECOVERY PINS13

[6.2] SETTING READ-ONLY OR READ/WRITE MODES 14

[6.3] LOCK OVERRIDE MODE 15

[6.4] DIAGNOSTIC MODE 16

[7] DEVICE RESET 18

[8] USING WITH AN HSM 19

[8.1] BACKING UP AND RESTORING DATA 19

[9] USING WITH A KMES, RKMS, OR GUARDIAN 22

[9.1] MANUAL BACKUP 22

[9.3] SAVING EXPORTED LOGS 24

APPENDIX A: LED STATES 26

APPENDIX B: PROGRAMMING KEY COMBINATIONS 27

APPENDIX C: TROUBLESHOOTING FAQ 29

APPENDIX D: XCEPTIONALSUPPORT 30

USER GUIDE | USBBACKUP HSM

Page 3of 31

[1] DOCUMENT INFORMATION

[1.1] DOCUMENT OVERVIEW

The purpose of this document is to provide information regarding the configuration of Futurex USBBackup

HSM devices, including PINsetup, applying security settings, and using with Futurex devices.

[1.2] APPLICATION DESCRIPTION

The USBBackup HSMallows users to safely back up their device data via PINprotection and AES256

encryption. Users can unlock the device by entering their PIN into the device's keypad before plugging it into a

USBport and performing data operations. Once complete, the device is automatically locked when the users

withdraws the device from the USBport. Data cannot be retrieved or parsed without PIN entry, offering an

additional layer of protection for sensitive backup or key information.

[1.3] COPYRIGHT AND TRADEMARK NOTICES

Neither the whole nor any part of the information contained in this document may be adapted or reproduced

in any material or electronic form without the prior written consent of the copyright holder.

Information in this document is subject to change without notice.

Futurex makes no warranty of any kind with regard to this information, including, but not limited to, the

implied warranties of merchantability and fitness for a particular purpose. Futurex shall not be liable for

errors contained herein or for incidental or consequential damages concerned with the furnishing,

performance, or use of this material.

[1.4] TERMS OF USE

This integration guide, as well as the software and/or products described in it, are furnished under agreement

with Futurex and may be used only in accordance with the terms of such agreement. Except as permitted by

such agreement, no part of this publication may be reproduced, stored in a retrieval system, or transmitted, in

any form or by any means, electronic, mechanical, recording, or otherwise, without prior written permission

of Futurex.

USER GUIDE | USBBACKUP HSM

Page 4of 31

[2] HARDWARE SPECIFICATIONS

lData transfer rate: Up to 190MB/s read & 80MB/s write

lPower Supply: USB port or internal battery

lInterface: Super Speed USB 3.1 (Backwards compatible with USB 3.0, 2.0 and 1.1)

lDimensions:81mm x 18.4mm x 9.5mm, 22 g

lApprovals: FIPS 140-2 Level 3, IP-67, FCC, CE, VCCI, WEE, C-TICK

lECCN / HTS / Cage Code: 5A992.c / 8473.50.3000 / 3VYK8

lSystem Requirements:Windows, Mac, Linux, Android. and Symbian systems, or any powered USB OS

with a file storage system

USER GUIDE | USBBACKUP HSM

Page 5of 31

[3] INITIAL SETUP AND USE

Each USB Backup HSM is shipped without a preset Personal Identification Number (PIN). To prepare the USB

Backup HSM for use, the user must first create a 7 to 16 digit-long Admin PIN. The Admin PIN is used to set the

HSM’s various Admin features, and serves as the first of two User PINs for the HSM’s standard operation.

NOTE: PINs cannot contain all consecutive numbers or all the same numbers (e.g. 123456789, 987654321 or

11111111, 22222222, etc.).

[3.1] ADMIN PINAND ADMIN MODE

To set up any of the device’s Admin functions, the Admin Mode must first be entered. Once in the Admin

mode, each of the device’s functions can be addressed with the appropriate button commands. While in the

Admin Mode, the data on the device will not be accessible.

Prior to your first use of the USBBackup HSM, you must first set an Admin PIN. Immediately after setting up

your Admin PIN, you may then continue setting up other functions. If you do nothing for a period of 30

seconds, the device will revert to its standby state.

Setting up the AdminPIN

1. Press to start the device. The blue and green LEDs will turn on, indicating no Admin PIN has been

established.

2. Press and 9 simultaneously. The blue LED will illuminate, and the green LED will blink.

3. Enter the PIN desired for the Admin code and press . If the PIN is accepted, the blue LED will turn off

momentarily and the green LED will blink 3 times. The green LED will then continue to blink as the blue

LED illuminates.

4. Quickly re-enter the same PIN once more and press . This will lead to the blue LED turning off

momentarily and the green LED glowing for one second. Then the blue LED will illuminate, indicating

that the Admin PIN has been set and the USB Backup HSM is in Admin mode, ready to add another User

PIN or for setting up features.

5. To exit the Admin mode, press (the red LED will illuminate) or wait 30 seconds, and the USB Backup

HSM will return to sleep mode.

lIf no additional users or Admin features need to be set, the USB Backup HSM setup is now

complete and ready for use.

Re-entering Admin mode

1. Press and hold + 0 for five seconds until the red LED blinks. This indicates that you can enter the

Admin PIN.

2. Enter the Admin PIN and press the button.

3. Admin Mode is indicated by a solid blueLED.

4. To exit Admin Mode, either allow 30 seconds of inactivity, or press the button.

USER GUIDE | USBBACKUP HSM

Page 6of 31

Changing the Admin PIN

Changes to the Admin PIN can only be made while the device is in Admin mode.

1. Enter the Admin mode by holding + 0 for five seconds – with the red LED blinking, enter the Admin

PIN and press the button. The blue LED will glow solidly.

2. Press + 9 together. The blue LED will glow solidly and the green LED will blink.

3. Enter the new Admin PIN and press the button. The green LED will blink three times.

4. Re-enter the new Admin PIN and press the button. The green LED will glow solidly for a second or

two and then return to the Admin mode, indicated by the blue LED glowing solidly.

[3.2] LOCKING THE DEVICE

To lock the USB Backup HSM, press the button. When locked, the redLED will illuminate.

If data is still being written to the device, it must be completed before the locking operation takes place. The

button can also be used to exit out of the Admin mode.

NOTE: The USB Backup HSM will not be recognized by any operating system in its locked state.

[3.3] UNLOCKING THE DEVICE

1. Press the button to wake the device from sleep mode. The redLED will illuminate.

2. Enter either an Admin PIN or User PIN and press the button.

lIf the PIN is accepted, the green LED will quickly blink four times, then continue to blink slowly

until it is plugged into a USB port. After being plugged in, the green LED will illuminate.

lIf the PIN is incorrect, the red LED will blink three times and then be illuminated.

3. Upon correct PIN entry, the device will be unlocked and ready for use. If it is not plugged into a USB port

within 30 seconds, the USB Backup HSM will return to sleep mode and automatically lock itself.

[3.4] SETTING A MINIMUM PINLENGTH

The USBBackup HSM’s minimum PIN length is 7 by default. However, for greater security, a longer minimum

PIN setting of up to 16 characters can be implemented.

1. Enter the Admin mode. (Hold + 0 for five seconds – with red LED blinking, enter the Admin PIN and

press the button.) The blue LED will glow solidly.

2. Press the + 4 buttons simultaneously. The red LED will blink twice.

3. Enter the new minimum PIN length in two characters. For example, 08 = 8 characters, 11 = 11

characters, etc.

4. If accepted, the green LED will blink three times and the Secure Key will return to the Admin mode,

indicated by the blue LED glowing solidly. If the numeric entry is below 07 or greater than 16, the red

LED will blink three times indicating entry error, and the command will not be accepted.

USER GUIDE | USBBACKUP HSM

Page 7of 31

[3.5] FORMATTING THE USBBACKUP HSM

Windows 10

1. Wake the device by pressing .

2. Unlock the device by entering the Admin PIN, followed by . If the PINis correct, the green LED should

blink three times, then will illuminate.

3. Insert the device into a USB port.

4. A window should open, revealing the device's contents. Right click on the device in the window's left-

hand navigation section, and choose Format.

5. Specify settings in the Format window. By default, the file system should be FAT32.

6. In the Volume label field, fill in a name for the device.

7. Click Start, then confirm through the warning message that appears. The drive will be formatted and

can now be used.

Mac OSX

The USB Backup HSM comes preformatted in FAT32 for complete cross-platform compatibility, and is ready

for use. For a strictly Mac OS environment, the user must first reformat the device to Mac OS Extended

(Journaled).

Once the device is unlocked and inserted into a USB port, open the Mac Disk Utility from

Applications/Utilities/Disk Utilities and do the following:

1. Select the USB Backup HSM from the list of drives and volumes.

2. Click the Erase tab.

3. Enter a name for the device. The name will eventually appear on the desktop.

4. Select a volume format to use. The Volume Format dropdown menu lists the available drive formats

that the Mac supports. The recommended format type is Mac OS Extended (Journaled).

5. Click the Erase button. Disk Utility will unmount the volume from the desktop, erase it, and then

remount it on the desktop.

USER GUIDE | USBBACKUP HSM

Page 8of 31

[4] USER PIN SETUP AND MANAGEMENT

There are two ways to establish a User PIN: Admin-generated while in Admin Mode, or user-generated while

the device is placed in User Forced Enrollment State.

[4.1] ADMIN-GENERATED USER PIN

1. Enter the Admin Mode by pressing and holding and 0 for five seconds; the red LED will blink. Enter

the Admin PIN and press ; the blue LED will illuminate.

2. Press and hold and 1 until the blue LED is illuminated and the green LED starts blinking.

3. Enter the PIN desired as the user code and press . The blue LED will turn off and the green LED will

blink 3 times, then the green LED will continue blinking and the blue LED will be illuminated.

4. Quickly re-enter that same PIN once more and press .

If the PIN was successfully added, the blue LED will turn off and the green LED will illuminate for a one to two

seconds and then will turn off, followed by the blue LED illuminating, indicating that the device has returned to

Admin Mode. If the PIN is unacceptable, the red LED will flash three times, followed by solid blue / blinking

green LEDs.

[4.2] CREATING FORCED ENROLLMENT STATE ALLOWING USER TO GENERATE USER PIN

NOTE: This can only be done if there isn’t already a User PIN established on the HSM using the method above.

1. Enter the Admin Mode by holding and 0 for five seconds, causing the red LED to blink. Enter the

Admin PIN and press . The blue LED will illuminate.

2. Press 0 and 1 and the green LED will blink three times, followed by the blue LED illuminating.

3. Press the button to return the USB Backup HSM to its locked state. The device is now in User Forced

Enrollment State, allowing a user to establish their own User PIN.

User-Generated User PIN in Forced Enrollment State

1. Press and ensure that the blue and the green LEDs are illuminated.

2. Press and 1 and ensure that the blue LED is illuminated while the green LED blinks. Enter the new

User PIN and press . The green LED will blink three times, then continue blinking as the blue LED

illuminates.

3. Within 30 seconds, enter that same User PIN once more, and press again. The green LED will

illuminate for a few seconds, then the drive will return to its locked state, indicated by the red LED

illuminating. The device can now be accessed using either the User PIN or the Admin PIN.

[4.3] CHANGING THE USER PIN

The User PIN can be changed within the User mode.

NOTE: The Admin PIN cannot be changed while in the User mode. The Admin PIN can only be changed from

within the Admin mode.

USER GUIDE | USBBACKUP HSM

Page 9of 31

You can change the User PIN by doing the following:

1. Unlock the USBBackup HSM with the User PIN. The green LED will blink.

2. Press the + 1 buttons together for five seconds. The red LED will blink.

3. Enter the current User PIN and press the button. The blue LED will glow solidly and the green LED

will blink.

4. Enter the new User PIN and press the button. The green LED will blink three times, followed by the

blue LED glowing solidly and the green LED blinking.

5. Re-enter the new User PIN and press the button. The green LED will glow solidly for a second or two,

then will return to the User mode, indicated by the green LED blinking.

[4.4] DELETING THE USER PIN

Delete the User PIN by doing the following:

1. Enter the Admin mode by holding + 0 for five seconds. With the red LED blinking, enter the Admin

PIN and press the button; the blue LED will now glow solidly.

2. Press the 7 + 8 buttons together for five seconds. The green LED will blink three times and then will be

followed by the red and blue LEDs blinking alternately.

3. Press the 7 + 8 buttons together again for five seconds. The green LED will glow solidly for a second or

two.

4. The key will return to Admin mode indicated by the blue LED glowing solidly.

NOTE: Deleting the User PIN will also delete the "Self-Destruct PIN" on the next page as well as all recovery

PINs (if any have been set).

USER GUIDE | USBBACKUP HSM

Page 10 of 31

[5] SECURITY SETTINGS

[5.1] SELF-DESTRUCT PIN

The USB Backup HSM’s Self-Destruct PIN defends against physically compromising situations by erasing the

device’s contents and leaving it to look as if it never had any data written to it.

USE WITH CAUTION! When this mode is activated and the device is unlocked with the Self-Destruct PIN, it will

effectively perform a crypto-erase on the device, deleting all of its data. Additionally, the encryption device

will be deleted and a new encryption device will be created to take its place. When this Self-Destruct PIN is

entered, the device will unlock and the green LED will glow solidly as if the device is being normally unlocked.

The device, however, will need to be partitioned and reformatted before it can be used again. Additionally,

The previous Admin and User codes will be deleted in the crypto-erase process and the Self-Destruct PIN will

then become the new Admin PIN to unlock the device.

The Self-Destruct feature can only be enabled or disabled by the Admin. However, the Self-Destruct PIN can be

generated by either the Admin or the User. If the Admin generates the Self-Destruct PIN, only the Admin can

change that PIN. If the User generates the Self- Destruct PIN, both the User and the Admin can change the PIN.

NOTE: The Self-Destruct PIN must be different from the Admin PIN, User PIN, and Recovery PINs.

1. By default, the Self-Destruct feature is disabled. To allow the USB Backup HSM to be set with a Self-

Destruct PIN, Enter the Admin mode. (Hold + 0 for five seconds; while the red LED is blinking, enter

the Admin PIN and press the button.) The blue LED will glow solidly.

2. Press the 7 and 4 buttons simultaneously. The green LED will blink three times, and at this point, the Self

Destruct PIN can now be set by the Admin while the device is in the Admin mode. If the intent is for the

Self-Destruct PIN to be set up at another time by the User, press the button and refer to the User

Setting Self Destruct PIN instructions below. Otherwise, continue to step 3.

3. Press + 3 until the red and blue LEDs blink alternately.

4. Enter the Self-Destruct PIN and press . The green LED will blink three times and then will return to

red and blue LEDs blinking alternately.

5. Re-enter the Self-Destruct PIN and press . The green LED will glow solidly for a few seconds and then

will return to either the Admin mode (indicated by the blue LED glowing solidly) or the unlocked state if

created by User.

6. To enable or disable the Self-Destruct PIN, enter the Admin mode and press the 7 + 4 buttons

simultaneously for a second or two; successful enablement will be indicated by three green LED blinks.

successful disablement of Self Destruct mode (press and hold the 7 + 4 buttons again) is indicated by

three red LED blinks.

Self-Destruct PIN Set by the User

If the device is enabled for Self-Destruct Mode by the Admin, unlock the device with the User PIN and follow

steps 3 through 5. Additionally, the user can change their Self-Destruct PIN by following these same steps.

Note that the mode can’t be enabled or disabled in the User mode.

USER GUIDE | USBBACKUP HSM

Page 11 of 31

[5.2] BRUTE-FORCE PROTECTION

A Brute-Force Attack is a means of breaching a cryptographic data defense scheme by systematically running

an astronomical number of decryption possibilities. With AES 256 having never been cracked, the data stored

on a USBBackup HSM is going to be more than well-protected against brute-force. But brute-force attacks

aren’t necessarily aimed at the bulk of the data itself, but rather, at the drive’s access PINs. After all, PINs are

usually the weakest links of any data protection plan, and as such, PINs are essentially all that a brute-force

attack needs to decrypt.

The default number of maximum incorrect PIN entries allowed is 20, but can be programmed to be as few as

four.

1. After three unsuccessful drive authentication attempts, the USBBackup HSMwill automatically add

additional time delays to each subsequent try thereafter. The red LED will blink the number of failed

attempts after three, all the way up to the halfway point of total allowed attempts, e.g. 10 total

programmed attempts; halfway point is 5.

2. Once that halfway point of the number of unsuccessful authentication attempts is reached, the keypad

will lock up and the red LED will blink at a rate of three flashes per second. No additional PIN attempts

will be recognized.

3. To unlock the keypad and regain the ability to enter a PIN, press and hold the 5 button and the button

together until the red and green LEDs blink alternately.

4. Enter the code “LastTry” (5278879) and press the button. The red LED will glow steadily. You will now

have the remaining 50% of PIN attempts.

5. When the device is successfully unlocked, the Brute-Force counter will return to zero.

The number of attempts possible, both before and after the LastTry (5278879) code is entered, can be set (in

Admin Mode) between 2 and 10 attempts.

Setting the before/after attempts to the minimum of two would allow for a total of four attempts (two before

entering the LastTry code and two after). To program the number of Brute-Force attempts allowed:

1. Enter the Admin mode. (Hold + 0 for five seconds; with the red LED blinking, enter the Admin PIN

and press the button.) The blue LED will glow solidly.

2. Press and hold the + 5 button for three seconds. The red LED will double-blink.

3. Press the number of before/after attempts desired on the numeric keypad (2-9). The green LED will

blink the same number of times to correspond to the number you have entered.

lFor example: the 8 button will result in eight blinks, and yield eight attempts before the LastTry

code and another eight attempts after, yielding a total of 16.

4. To return the device to its default setting, press the 1 key, followed by the 0 key, to change the number

back to ten attempts.

NOTE: The number of before and after attempts are the same, i.e., 4 before / 4 after, 8 before / 8 after, etc.

[5.3] UNATTENDED AUTO-LOCK

To protect against unauthorized access if the device is unlocked and unattended, the USBBackup HSM can be

set to automatically lock after a predetermined period of inactivity.

USER GUIDE | USBBACKUP HSM

Page 12 of 31

In its default state, the USBBackup HSM’s Unattended Auto-Lock feature is turned off. However, the

Unattended Auto-Lock can be set to activate after 5, 10, or 20 minutes of inactivity.

To set the Unattended Auto-Lock, perform the following steps:

1. Enter the Admin mode by holding + 0 for five seconds. With the red LED blinking, enter the Admin

PIN and press the button. The blue LED will glow solidly.

2. Once in the Admin mode, press + 6. The red and blue LEDs will blink alternately.

3. Press one of the numbers below that corresponds to the amount of inactivity you would like the device

to lock itself:

l0= OFF (default)

l1= 5 minutes

l2= 10 minutes

l3= 20 minutes

4. After you have entered the desired amount of allowable inactivity, the green LED will blink three times

indicating command acceptance, and then will return to the Admin mode, indicated by the blue LED

glowing solidly.

USER GUIDE | USBBACKUP HSM

Page 13 of 31

[6] SPECIAL MODES

[6.1] ONE-TIME-USE RECOVERY PINS

The Admin has the ability to set Recovery PINs that will allow a User to access data on the USB Backup HSM in

the event of a forgotten PIN by creating a new state of User Forced Enrollment in which a new User PIN can be

established without wiping any data off of the drive. The Admin can establish up to four single-use Recovery

PINs; once a Recovery PIN has been used to access the USB Backup HSM, it will no longer be available for

future recovery efforts.

NOTE: The Recovery PIN will not unlock the device, but will place the USB Backup HSM into a User Forced

Enrollment state, where the User can then establish a new User PIN which will then grant access the Key’s

data.

Setting Recovery PINs

1. Enter the Admin mode. (Hold + 0 for five seconds. With the red LED blinking, enter the Admin PIN

and press the button.) The blue LED will now glow solidly.

2. Press the + 8 buttons together. The green LED will blink three times by itself, and then will be joined

by a solid blue LED.

3. Enter the Recovery PIN and press the button. If the PIN is accepted, the green LED will blink three

times.

4. Repeat by entering that same Recovery PIN and pressing the button again. If PIN is accepted for the

final time, the green LED will blink three times and the USB Backup HSM will then return to the Admin

mode indicated by a solid blue LED.

5. To add more Recovery PINs, repeat steps 2-4. When finished, press the button to return device to its

standby mode.

Using a Recovery PIN

Deploying a Recovery PIN will put the USB Backup HSM into a state of User Forced Enrollment and that

recovery PIN will no longer be useable. Additionally, once in a state of User Forced Enrollment, the previous

User PIN will no longer be recognized as a valid PIN for drive authentication and a new User PIN must be

created.

1. With the USB Backup HSM in Standby mode, press and hold the + 7 buttons together for five seconds

and release once the red LED starts blinking.

2. Enter a recovery PIN (from Admin) and press the button. The green LED will blink three times by

itself, and then will be joined by a solid blue LED indicating the device is in User Forced Enrollment

mode.

3. Enter a new User PIN and press the button. The green LED will blink three times if accepted.

4. Re-enter that same new User PIN and press the button again to verify it. If accepted, the green LED

will blink three times and then the USB Backup HSM will return to its Standby state, indicated by the red

LED glowing steadily. The USB Backup HSM will now be accessible using this new User PIN.

USER GUIDE | USBBACKUP HSM

Page 14 of 31

[6.2] SETTING READ-ONLY OR READ/WRITE MODES

With a large number of viruses and Trojans that attach themselves to USB devices, the Read-Only feature is

especially useful if you need to access data on the device when used in a public setting. Additionally, Read-

Only is an important feature for forensic applications, where data must be preserved in its original, unaltered

state and can’t be overwritten or modified.

Admin Mode

The Admin can set the device to a Read-Only mode for both the Admin and the User. When set by the Admin,

the Admin is the only one that can change the device back to Read / Write mode.

When the device is unlocked in Read-Only mode and inserted into a USB port, the green LED will glow solidly

and the red LED will blink once every three seconds.

To set the USBto Read-Only:

1. Enter the Admin mode. (Hold + 0 for five seconds – with red LED blinking, enter the Admin PIN and

press the button.) The blue LED will glow solidly.

2. Press and hold the R + O (7 + 6) buttons together until the green LED blinks three times.

3. The device will return to Admin mode indicated by the blue LED glowing solidly.

4. Until changed, the device can only be read.

To return the USBto Read / Write:

1. Enter the Admin mode. (Hold + 0 for five seconds – with the red LED blinking, enter the Admin PIN

and press the button.) The blue LED will glow solidly.

2. Press and hold the R + W (7+ 9) buttons together until the green LED blinks three times.

3. The device will return to Admin mode, indicated by the blue LED glowing solidly and the device will be

restored to its normal Read / Write condition.

NOTE: Setting the device to Read/Write from the Admin mode will globally override a Read-Only mode that

has been set by the User.

User Mode

NOTE: When changing Read-Only or Read / Write settings, do not make these changes with the device

attached to an operating system. This may cause confusion within the operating system about the proper

status of the device, and the device may not function properly until the operating system has been restarted.

This mode will allow the User to set the Read / Write status of the device, without having access to the Admin

functions.

When the device is unlocked in Read-Only mode and inserted into a USB port, the red LED will blink once

every three seconds while the green LED will glow solidly.

If the device is set to be Read-Only in the Admin mode, the User cannot override that setting. Only the Admin

can return the device to Read / Write Mode.

To Set the device to Read-Only:

USER GUIDE | USBBACKUP HSM

Page 15 of 31

1. Press the button to wake the device. The red LED will glow solidly.

2. Press the R + O (7 + 6) buttons together for three seconds. The green LED will blink three times.

3. Enter the User / Admin PIN and press . The green LED will blink rapidly whenever the HSM is

connected to USB port.

4. The HSM will be in a Read-Only state the next time it is unlocked.

To Return the HSM to Read / Write:

1. Press the button to wake the device. The red LED will glow solidly.

2. Press the R + W (7+ 9) buttons together for three seconds. The green LED will blink three times.

3. Enter the User / Admin PIN and press . The green LED will glow solidly whenever the USB Backup

HSM is connected to a USB port.

4. The device will return to unlocked mode and can now be written to, indicated by the blinking green LED.

NOTE: Setting the device to Read/ Write from the User mode will not override a Read-Only setting that was

placed by the Admin. To set the device to Read-Only mode for both the User and the Admin, set the Read-Only

Mode using the Admin function.

[6.3] LOCK OVERRIDE MODE

Certain users may encounter a case where they need the device to remain unlocked during a reboot, passing

the device through a virtual machine or other similar situation which, under normal circumstances, would

cause the device to lock.

To help facilitate this type of usage, Lock-Override Mode will allow the device to remain unlocked through

USB port re-enumeration, and will not lock again until USB power is interrupted.

NOTE: When in this mode, the device is vulnerable to being moved from one computer and connected to

another computer, provided USB power is uninterrupted. Due to this vulnerability, we strongly recommend

that this mode be used only in circumstances where the device can be physically secured (as in a locked server

room) or in a place where it can be visually monitored while in this mode. Use of a powered hub or a Y-cable

increases this security risk.

Always return the device to the default Lock-Override Mode OFF when returning to normal service.

To set the “Lock-Override” to On:

1. Enter the Admin Mode (Press and hold + 0 for five seconds until the red LED blinks, then enter the

Admin code and press the button.) The blue LED will glow solidly.

2. Press the 7 + 1 together until the green LED blinks three times, followed by the blue LED glowing solidly.

3. When the device is unlocked and attached to a USB port in “Lock-Override Mode”, the blue LED will

blink once every three seconds to alert you that the “Lock-Override” mode is active.

NOTE: If “Unattended Auto-Lock” mode has been turned on, “Lock-Override” will not override it; the device

will lock itself upon reaching the selected amount of inactivity. If you need the device to stay unlocked, Enter

the Unattended Auto-Lock Feature and set the lock timer to “0” (0 = OFF).

To turn Lock-Override Mode off and return to normal operation:

USER GUIDE | USBBACKUP HSM

Page 16 of 31

1. Enter the Admin Mode.

2. Press the 7 + 0 together until the green LED blinks three times, followed by the blue LED glowing solidly.

3. To verify, unlock the device in User mode and check that the blue LED is no longer blinking.

[6.4] DIAGNOSTIC MODE

The keypad has a manual diagnostic mode built-in to verify proper keypad function and troubleshooting device

issues.

This mode will not allow access to any data or admin function. It can only be used to identify the firmware

level and to test button recognition.

To enter the diagnostic function:

1. Press , then press + 1, release, then press and continue to hold the 0 button as the red and blue

LEDs blink alternately. Once all three LEDs illuminate solidly, release the 0 button.

2. The blue LED will blink a number of times to represent the number of both the major and minor

revisions. The decimal point will be represented by a single red LED blink. Upon completion, the blue

LED will glow solidly. (Example: VERSION 4.1 would be indicated by four blue LED blinks, one red LED

blink, one blue LED blink, and one red LED blink, then revert to the blue LED glowing solidly.)

3. To check the keypad’s button functionality, press each button and the number of the button pressed will

be expressed by the red LED blinking. For example:

l1 Button= 1 blink

l2 Button = 2 blinks

l3 Button = 3 blinks

l0 Button = 10 blinks

lButton = 11 blinks

lButton = 12 blinks

4. To exit the Diagnostic Mode, wait for the 20 second timeout, or hold the Lock Button for about 7

seconds, to return the device to its normal operation.

Self-Diagnostics

During the initial power up, after the device has been plugged into a USB port, the device will perform self-

diagnostics on the encryption algorithm and critical hardware components. If the red LED blinks at a rate of

one blink per second for 15 seconds, returns to standby and will not unlock, unplug the device from USB port

and try again. If the red LED continues to blink in the manner mentioned above and won’t unlock upon USB re-

insertion, a critical component has failed and the device can no longer function.

If the device blinks a triple-red LED pattern that is repeated every two seconds when unlocked, a failure has

occurred that will not immediately stop the device from working nor affect the security of the device, but

should be considered as a warning that the device needs to be replaced in the near future. Additionally, Admin

features may be limited in this mode.

If either condition should appear, remove the device from the USB port and allow the device to go to sleep,

and try to unlock the device again. The event of either diagnostic failure will be very rare, but if the device

USER GUIDE | USBBACKUP HSM

Page 17 of 31

cannot recover, it must be replaced.

USER GUIDE | USBBACKUP HSM

Page 18 of 31

[7] DEVICE RESET

There may be circumstances (forgotten PIN, redeployment, return to factory default settings) when you need

to completely reset the device. The complete reset feature will perform a crypto-erase on the device,

generate a new encryption key, delete all users and formatting, and will return all of the settings to factory

default.

To perform a complete reset of the device, do the following:

1. Press and hold + + 2 together for ten seconds. The red and blue LEDs will blink alternately.

2. The green and red LEDs will glow solidly for several seconds, followed by the green LED glowing solidly

for several seconds, followed finally by the green and blue LEDs glowing solidly which indicates that the

reset is complete.

3. A new Admin PIN will need to be entered, and the device will need to be reformatted before it can be

used again.

lFor setting up a new Admin PIN, see the section on "Setting up the AdminPIN" on page5.

lFor formatting the device, see the section on "Formatting the USBBackup HSM" on page7.

USER GUIDE | USBBACKUP HSM

Page 19 of 31

[8] USING WITH AN HSM

The USBBackup HSMcan be used with Vectera Plus, Excrypt SSP Enterprise V2, and Excrypt Plus HSMs, to

safely store backups of keys and configuration settings, and to allow users to restore from those backups.

[8.1] BACKING UP AND RESTORING DATA

HSMconfiguration data can be backed up to the USBBackup HSM, and restored using the Backup Config and

Restore Config buttons. In addition, keys can be saved or imported using the Backup Keys and Restore Keys

buttons.

Backing Up Configuration Data

1. Unlock the USBBackup HSM, and connect it to a computer running Excrypt Manager.

2. In Excrypt Manager, select the Maintenance tab on the left toolbar.

3. Under the Backup and Restore heading, click Backup Config to save the configuration data.

4. The Backup device to file window will open.

FIGURE: BACKUP DEVICE TO FILE WINDOW

lThe window will display the Checksum of the currently loaded Backup Key, or No Backup Key

loaded.

lIf a Backup Key has not yet been loaded, continue through the process of loading the key through

the key wizard or M of N fragments.

lIf a key has already been loaded, the Replace Backup Key button can be clicked if desired,

allowing you to use an alternate backup key.

lClick Next. The Select File window will open. Click Browse, browse to the USBBackup HSM, and

enter a file name. Once done, click Open.

lClick Next. The Transferring window will open and display a progress bar.

lClick Finish to exit the window.

5. Once the operation is completed, disconnect the USBBackup HSMfrom the computer.

USER GUIDE | USBBACKUP HSM

Page 20 of 31

Restoring Configuration Data

To restore configuration settings into the HSM from a file:

1. Unlock the USBBackup HSM, and connect it to a computer running Excrypt Manager.

2. In Excrypt Manager, select the Maintenance tab on the left toolbar.

3. Under the Backup and Restore heading, click Restore Config to save the configuration data.

4. The Restore device from image file window will open.

lThe window will display the Checksum of the currently loaded Backup Key, or No Backup Key

loaded.

lIf a Backup Key has not yet been loaded, continue through the process of loading the key through

the key wizard or M of N fragments.

lIf a key has already been loaded, the Replace Backup Key button can be clicked if desired,

allowing you to use an alternate backup key.

lClick Next. The Select File window will open. Click Browse, browse to the USBBackup HSM,

highlight the backup file, then click Open.

lIf desired, you can also choose to Restore device specific network settings and Reboot

device after a successful restore.

lClick Next. The Transferring window will open and display a progress bar.

lClick Finish to exit the window.

5. Once the operation is completed, disconnect the USBBackup HSMfrom the computer.

Backing Up Keys

NOTE: As with the MFK, the loading of the backup key may be performed through M of N fragmentation or via

the key wizard.

NOTE: The backup key must be as strong as all entries in the key table, and can be either AES, DES, or 3DES.

NOTE: Key backups include all PKI keys, symmetric keys, RSA keys, certificates, and CRLs.

1. Unlock the USBBackup HSM, and connect it to a computer running Excrypt Manager.

2. In Excrypt Manager, select the Maintenance tab on the left toolbar.

3. Click the Backup Keys button to back up the HSM's keys only.

lThe window will display the Checksum of the currently loaded Backup Key, or No Backup Key

loaded.

lIf a Backup Key has not yet been loaded, continue through the process of loading the key through

the key wizard or M of N fragments.

lIf a key has already been loaded, the Replace Backup Key button can be clicked if desired,

allowing you to use an alternate backup key.

lClick Next. The Select File window will open. Click Browse, browse to the USBBackup HSM, and

enter a file name. Once done, click Open.

lClick Next. The Transferring window will open and display a progress bar.

lClick Finish to exit the window.

4. Once the operation is completed, disconnect the USBBackup HSMfrom the computer.

Table of contents

Popular Firewall manuals by other brands

Authonet

Authonet Firewall F-10 PRODUCT OVERVIEW & OPERATION MANUAL

NETGEAR

NETGEAR FWG114Pv1 - Wireless Firewall With USB Print... Specifications

Draytek

Draytek VIGOR2950 user guide

Fortinet

Fortinet FortiBridge FortiBridge-1000 quick start guide

SonicWALL

SonicWALL NSA 2600 Upgrade guide

Cisco

Cisco amp threat grid Setup and configuration guide

NETGEAR

NETGEAR ProSafe FVX538 installation guide

Cisco

Cisco LightStream 1010 Installation, Maintenance, and Upgrade

Trustwave

Trustwave M86 user guide

Fortinet

Fortinet FortiGate 1000F Series quick start guide

IBASE Technology

IBASE Technology FWA8208 Series user manual

ZyXEL Communications

ZyXEL Communications ADSL 2+ Security Gateway user guide

Stonesoft

Stonesoft StoneGate FW-5105 installation guide

HP F5000-C Compliance and Safety Manual

ZyXEL Communications

ZyXEL Communications ZYWALL 2 WG brochure

NETGEAR

NETGEAR FVS124G - ProSafe VPN Firewall 25 Specifications

Sophos

Sophos SG 310 quick start guide

Silicon Graphics

Silicon Graphics Gauntlet Administrator's guide

Futurex USB Backup HSM User manual

Popular Firewall manuals by other brands