Futurex USB Backup HSM User manual
USBBACKUP HSM
User Guide
Applicable Devices:
Vectera Plus
Guardian Series 3
KMES Series 3
RKMS Series 3
THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION PROPRIETARY TO FUTUREX, LP. ANY UNAUTHORIZED USE, DISCLOSURE,
OR DUPLICATION OF THIS DOCUMENT OR ANY OF ITS CONTENTS IS EXPRESSLY PROHIBITED.
USER GUIDE | USBBACKUP HSM
Page 2of 31
TABLE OF CONTENTS
[1] DOCUMENT INFORMATION 3
[1.1] DOCUMENT OVERVIEW 3
[1.2] APPLICATION DESCRIPTION 3
[1.3] COPYRIGHT AND TRADEMARK NOTICES 3
[1.4] TERMS OF USE 3
[2] HARDWARE SPECIFICATIONS 4
[3] INITIAL SETUP AND USE 5
[3.1] ADMIN PINAND ADMIN MODE 5
[3.2] LOCKING THE DEVICE 6
[3.3] UNLOCKING THE DEVICE 6
[3.4] SETTING A MINIMUM PINLENGTH 6
[3.5] FORMATTING THE USBBACKUP HSM 7
[4] USER PIN SETUP AND MANAGEMENT 8
[4.1] ADMIN-GENERATED USER PIN 8
[4.2] CREATING FORCED ENROLLMENT STATE ALLOWING USER TO GENERATE USER PIN 8
[4.3] CHANGING THE USER PIN 8
[4.4] DELETING THE USER PIN 9
[5] SECURITY SETTINGS 10
[5.1] SELF-DESTRUCT PIN 10
[5.2] BRUTE-FORCE PROTECTION 11
[5.3] UNATTENDED AUTO-LOCK 11
[6] SPECIAL MODES 13
[6.1] ONE-TIME-USE RECOVERY PINS13
[6.2] SETTING READ-ONLY OR READ/WRITE MODES 14
[6.3] LOCK OVERRIDE MODE 15
[6.4] DIAGNOSTIC MODE 16
[7] DEVICE RESET 18
[8] USING WITH AN HSM 19
[8.1] BACKING UP AND RESTORING DATA 19
[9] USING WITH A KMES, RKMS, OR GUARDIAN 22
[9.1] MANUAL BACKUP 22
[9.3] SAVING EXPORTED LOGS 24
APPENDIX A: LED STATES 26
APPENDIX B: PROGRAMMING KEY COMBINATIONS 27
APPENDIX C: TROUBLESHOOTING FAQ 29
APPENDIX D: XCEPTIONALSUPPORT 30
USER GUIDE | USBBACKUP HSM
Page 3of 31
[1] DOCUMENT INFORMATION
[1.1] DOCUMENT OVERVIEW
The purpose of this document is to provide information regarding the configuration of Futurex USBBackup
HSM devices, including PINsetup, applying security settings, and using with Futurex devices.
[1.2] APPLICATION DESCRIPTION
The USBBackup HSMallows users to safely back up their device data via PINprotection and AES256
encryption. Users can unlock the device by entering their PIN into the device's keypad before plugging it into a
USBport and performing data operations. Once complete, the device is automatically locked when the users
withdraws the device from the USBport. Data cannot be retrieved or parsed without PIN entry, offering an
additional layer of protection for sensitive backup or key information.
[1.3] COPYRIGHT AND TRADEMARK NOTICES
Neither the whole nor any part of the information contained in this document may be adapted or reproduced
in any material or electronic form without the prior written consent of the copyright holder.
Information in this document is subject to change without notice.
Futurex makes no warranty of any kind with regard to this information, including, but not limited to, the
implied warranties of merchantability and fitness for a particular purpose. Futurex shall not be liable for
errors contained herein or for incidental or consequential damages concerned with the furnishing,
performance, or use of this material.
[1.4] TERMS OF USE
This integration guide, as well as the software and/or products described in it, are furnished under agreement
with Futurex and may be used only in accordance with the terms of such agreement. Except as permitted by
such agreement, no part of this publication may be reproduced, stored in a retrieval system, or transmitted, in
any form or by any means, electronic, mechanical, recording, or otherwise, without prior written permission
of Futurex.
USER GUIDE | USBBACKUP HSM
Page 4of 31
[2] HARDWARE SPECIFICATIONS
lData transfer rate: Up to 190MB/s read & 80MB/s write
lPower Supply: USB port or internal battery
lInterface: Super Speed USB 3.1 (Backwards compatible with USB 3.0, 2.0 and 1.1)
lDimensions:81mm x 18.4mm x 9.5mm, 22 g
lApprovals: FIPS 140-2 Level 3, IP-67, FCC, CE, VCCI, WEE, C-TICK
lECCN / HTS / Cage Code: 5A992.c / 8473.50.3000 / 3VYK8
lSystem Requirements:Windows, Mac, Linux, Android. and Symbian systems, or any powered USB OS
with a file storage system
USER GUIDE | USBBACKUP HSM
Page 5of 31
[3] INITIAL SETUP AND USE
Each USB Backup HSM is shipped without a preset Personal Identification Number (PIN). To prepare the USB
Backup HSM for use, the user must first create a 7 to 16 digit-long Admin PIN. The Admin PIN is used to set the
HSM’s various Admin features, and serves as the first of two User PINs for the HSM’s standard operation.
NOTE: PINs cannot contain all consecutive numbers or all the same numbers (e.g. 123456789, 987654321 or
11111111, 22222222, etc.).
[3.1] ADMIN PINAND ADMIN MODE
To set up any of the device’s Admin functions, the Admin Mode must first be entered. Once in the Admin
mode, each of the device’s functions can be addressed with the appropriate button commands. While in the
Admin Mode, the data on the device will not be accessible.
Prior to your first use of the USBBackup HSM, you must first set an Admin PIN. Immediately after setting up
your Admin PIN, you may then continue setting up other functions. If you do nothing for a period of 30
seconds, the device will revert to its standby state.
Setting up the AdminPIN
1. Press to start the device. The blue and green LEDs will turn on, indicating no Admin PIN has been
established.
2. Press and 9 simultaneously. The blue LED will illuminate, and the green LED will blink.
3. Enter the PIN desired for the Admin code and press . If the PIN is accepted, the blue LED will turn off
momentarily and the green LED will blink 3 times. The green LED will then continue to blink as the blue
LED illuminates.
4. Quickly re-enter the same PIN once more and press . This will lead to the blue LED turning off
momentarily and the green LED glowing for one second. Then the blue LED will illuminate, indicating
that the Admin PIN has been set and the USB Backup HSM is in Admin mode, ready to add another User
PIN or for setting up features.
5. To exit the Admin mode, press (the red LED will illuminate) or wait 30 seconds, and the USB Backup
HSM will return to sleep mode.
lIf no additional users or Admin features need to be set, the USB Backup HSM setup is now
complete and ready for use.
Re-entering Admin mode
1. Press and hold + 0 for five seconds until the red LED blinks. This indicates that you can enter the
Admin PIN.
2. Enter the Admin PIN and press the button.
3. Admin Mode is indicated by a solid blueLED.
4. To exit Admin Mode, either allow 30 seconds of inactivity, or press the button.
USER GUIDE | USBBACKUP HSM
Page 6of 31
Changing the Admin PIN
Changes to the Admin PIN can only be made while the device is in Admin mode.
1. Enter the Admin mode by holding + 0 for five seconds – with the red LED blinking, enter the Admin
PIN and press the button. The blue LED will glow solidly.
2. Press + 9 together. The blue LED will glow solidly and the green LED will blink.
3. Enter the new Admin PIN and press the button. The green LED will blink three times.
4. Re-enter the new Admin PIN and press the button. The green LED will glow solidly for a second or
two and then return to the Admin mode, indicated by the blue LED glowing solidly.
[3.2] LOCKING THE DEVICE
To lock the USB Backup HSM, press the button. When locked, the redLED will illuminate.
If data is still being written to the device, it must be completed before the locking operation takes place. The
button can also be used to exit out of the Admin mode.
NOTE: The USB Backup HSM will not be recognized by any operating system in its locked state.
[3.3] UNLOCKING THE DEVICE
1. Press the button to wake the device from sleep mode. The redLED will illuminate.
2. Enter either an Admin PIN or User PIN and press the button.
lIf the PIN is accepted, the green LED will quickly blink four times, then continue to blink slowly
until it is plugged into a USB port. After being plugged in, the green LED will illuminate.
lIf the PIN is incorrect, the red LED will blink three times and then be illuminated.
3. Upon correct PIN entry, the device will be unlocked and ready for use. If it is not plugged into a USB port
within 30 seconds, the USB Backup HSM will return to sleep mode and automatically lock itself.
[3.4] SETTING A MINIMUM PINLENGTH
The USBBackup HSM’s minimum PIN length is 7 by default. However, for greater security, a longer minimum
PIN setting of up to 16 characters can be implemented.
1. Enter the Admin mode. (Hold + 0 for five seconds – with red LED blinking, enter the Admin PIN and
press the button.) The blue LED will glow solidly.
2. Press the + 4 buttons simultaneously. The red LED will blink twice.
3. Enter the new minimum PIN length in two characters. For example, 08 = 8 characters, 11 = 11
characters, etc.
4. If accepted, the green LED will blink three times and the Secure Key will return to the Admin mode,
indicated by the blue LED glowing solidly. If the numeric entry is below 07 or greater than 16, the red
LED will blink three times indicating entry error, and the command will not be accepted.
USER GUIDE | USBBACKUP HSM
Page 7of 31
[3.5] FORMATTING THE USBBACKUP HSM
Windows 10
1. Wake the device by pressing .
2. Unlock the device by entering the Admin PIN, followed by . If the PINis correct, the green LED should
blink three times, then will illuminate.
3. Insert the device into a USB port.
4. A window should open, revealing the device's contents. Right click on the device in the window's left-
hand navigation section, and choose Format.
5. Specify settings in the Format window. By default, the file system should be FAT32.
6. In the Volume label field, fill in a name for the device.
7. Click Start, then confirm through the warning message that appears. The drive will be formatted and
can now be used.
Mac OSX
The USB Backup HSM comes preformatted in FAT32 for complete cross-platform compatibility, and is ready
for use. For a strictly Mac OS environment, the user must first reformat the device to Mac OS Extended
(Journaled).
Once the device is unlocked and inserted into a USB port, open the Mac Disk Utility from
Applications/Utilities/Disk Utilities and do the following:
1. Select the USB Backup HSM from the list of drives and volumes.
2. Click the Erase tab.
3. Enter a name for the device. The name will eventually appear on the desktop.
4. Select a volume format to use. The Volume Format dropdown menu lists the available drive formats
that the Mac supports. The recommended format type is Mac OS Extended (Journaled).
5. Click the Erase button. Disk Utility will unmount the volume from the desktop, erase it, and then
remount it on the desktop.
USER GUIDE | USBBACKUP HSM
Page 8of 31
[4] USER PIN SETUP AND MANAGEMENT
There are two ways to establish a User PIN: Admin-generated while in Admin Mode, or user-generated while
the device is placed in User Forced Enrollment State.
[4.1] ADMIN-GENERATED USER PIN
1. Enter the Admin Mode by pressing and holding and 0 for five seconds; the red LED will blink. Enter
the Admin PIN and press ; the blue LED will illuminate.
2. Press and hold and 1 until the blue LED is illuminated and the green LED starts blinking.
3. Enter the PIN desired as the user code and press . The blue LED will turn off and the green LED will
blink 3 times, then the green LED will continue blinking and the blue LED will be illuminated.
4. Quickly re-enter that same PIN once more and press .
If the PIN was successfully added, the blue LED will turn off and the green LED will illuminate for a one to two
seconds and then will turn off, followed by the blue LED illuminating, indicating that the device has returned to
Admin Mode. If the PIN is unacceptable, the red LED will flash three times, followed by solid blue / blinking
green LEDs.
[4.2] CREATING FORCED ENROLLMENT STATE ALLOWING USER TO GENERATE USER PIN
NOTE: This can only be done if there isn’t already a User PIN established on the HSM using the method above.
1. Enter the Admin Mode by holding and 0 for five seconds, causing the red LED to blink. Enter the
Admin PIN and press . The blue LED will illuminate.
2. Press 0 and 1 and the green LED will blink three times, followed by the blue LED illuminating.
3. Press the button to return the USB Backup HSM to its locked state. The device is now in User Forced
Enrollment State, allowing a user to establish their own User PIN.
User-Generated User PIN in Forced Enrollment State
1. Press and ensure that the blue and the green LEDs are illuminated.
2. Press and 1 and ensure that the blue LED is illuminated while the green LED blinks. Enter the new
User PIN and press . The green LED will blink three times, then continue blinking as the blue LED
illuminates.
3. Within 30 seconds, enter that same User PIN once more, and press again. The green LED will
illuminate for a few seconds, then the drive will return to its locked state, indicated by the red LED
illuminating. The device can now be accessed using either the User PIN or the Admin PIN.
[4.3] CHANGING THE USER PIN
The User PIN can be changed within the User mode.
NOTE: The Admin PIN cannot be changed while in the User mode. The Admin PIN can only be changed from
within the Admin mode.
USER GUIDE | USBBACKUP HSM
Page 9of 31
You can change the User PIN by doing the following:
1. Unlock the USBBackup HSM with the User PIN. The green LED will blink.
2. Press the + 1 buttons together for five seconds. The red LED will blink.
3. Enter the current User PIN and press the button. The blue LED will glow solidly and the green LED
will blink.
4. Enter the new User PIN and press the button. The green LED will blink three times, followed by the
blue LED glowing solidly and the green LED blinking.
5. Re-enter the new User PIN and press the button. The green LED will glow solidly for a second or two,
then will return to the User mode, indicated by the green LED blinking.
[4.4] DELETING THE USER PIN
Delete the User PIN by doing the following:
1. Enter the Admin mode by holding + 0 for five seconds. With the red LED blinking, enter the Admin
PIN and press the button; the blue LED will now glow solidly.
2. Press the 7 + 8 buttons together for five seconds. The green LED will blink three times and then will be
followed by the red and blue LEDs blinking alternately.
3. Press the 7 + 8 buttons together again for five seconds. The green LED will glow solidly for a second or
two.
4. The key will return to Admin mode indicated by the blue LED glowing solidly.
NOTE: Deleting the User PIN will also delete the "Self-Destruct PIN" on the next page as well as all recovery
PINs (if any have been set).
USER GUIDE | USBBACKUP HSM
Page 10 of 31
[5] SECURITY SETTINGS
[5.1] SELF-DESTRUCT PIN
The USB Backup HSM’s Self-Destruct PIN defends against physically compromising situations by erasing the
device’s contents and leaving it to look as if it never had any data written to it.
USE WITH CAUTION! When this mode is activated and the device is unlocked with the Self-Destruct PIN, it will
effectively perform a crypto-erase on the device, deleting all of its data. Additionally, the encryption device
will be deleted and a new encryption device will be created to take its place. When this Self-Destruct PIN is
entered, the device will unlock and the green LED will glow solidly as if the device is being normally unlocked.
The device, however, will need to be partitioned and reformatted before it can be used again. Additionally,
The previous Admin and User codes will be deleted in the crypto-erase process and the Self-Destruct PIN will
then become the new Admin PIN to unlock the device.
The Self-Destruct feature can only be enabled or disabled by the Admin. However, the Self-Destruct PIN can be
generated by either the Admin or the User. If the Admin generates the Self-Destruct PIN, only the Admin can
change that PIN. If the User generates the Self- Destruct PIN, both the User and the Admin can change the PIN.
NOTE: The Self-Destruct PIN must be different from the Admin PIN, User PIN, and Recovery PINs.
1. By default, the Self-Destruct feature is disabled. To allow the USB Backup HSM to be set with a Self-
Destruct PIN, Enter the Admin mode. (Hold + 0 for five seconds; while the red LED is blinking, enter
the Admin PIN and press the button.) The blue LED will glow solidly.
2. Press the 7 and 4 buttons simultaneously. The green LED will blink three times, and at this point, the Self
Destruct PIN can now be set by the Admin while the device is in the Admin mode. If the intent is for the
Self-Destruct PIN to be set up at another time by the User, press the button and refer to the User
Setting Self Destruct PIN instructions below. Otherwise, continue to step 3.
3. Press + 3 until the red and blue LEDs blink alternately.
4. Enter the Self-Destruct PIN and press . The green LED will blink three times and then will return to
red and blue LEDs blinking alternately.
5. Re-enter the Self-Destruct PIN and press . The green LED will glow solidly for a few seconds and then
will return to either the Admin mode (indicated by the blue LED glowing solidly) or the unlocked state if
created by User.
6. To enable or disable the Self-Destruct PIN, enter the Admin mode and press the 7 + 4 buttons
simultaneously for a second or two; successful enablement will be indicated by three green LED blinks.
successful disablement of Self Destruct mode (press and hold the 7 + 4 buttons again) is indicated by
three red LED blinks.
Self-Destruct PIN Set by the User
If the device is enabled for Self-Destruct Mode by the Admin, unlock the device with the User PIN and follow
steps 3 through 5. Additionally, the user can change their Self-Destruct PIN by following these same steps.
Note that the mode can’t be enabled or disabled in the User mode.
USER GUIDE | USBBACKUP HSM
Page 11 of 31
[5.2] BRUTE-FORCE PROTECTION
A Brute-Force Attack is a means of breaching a cryptographic data defense scheme by systematically running
an astronomical number of decryption possibilities. With AES 256 having never been cracked, the data stored
on a USBBackup HSM is going to be more than well-protected against brute-force. But brute-force attacks
aren’t necessarily aimed at the bulk of the data itself, but rather, at the drive’s access PINs. After all, PINs are
usually the weakest links of any data protection plan, and as such, PINs are essentially all that a brute-force
attack needs to decrypt.
The default number of maximum incorrect PIN entries allowed is 20, but can be programmed to be as few as
four.
1. After three unsuccessful drive authentication attempts, the USBBackup HSMwill automatically add
additional time delays to each subsequent try thereafter. The red LED will blink the number of failed
attempts after three, all the way up to the halfway point of total allowed attempts, e.g. 10 total
programmed attempts; halfway point is 5.
2. Once that halfway point of the number of unsuccessful authentication attempts is reached, the keypad
will lock up and the red LED will blink at a rate of three flashes per second. No additional PIN attempts
will be recognized.
3. To unlock the keypad and regain the ability to enter a PIN, press and hold the 5 button and the button
together until the red and green LEDs blink alternately.
4. Enter the code “LastTry” (5278879) and press the button. The red LED will glow steadily. You will now
have the remaining 50% of PIN attempts.
5. When the device is successfully unlocked, the Brute-Force counter will return to zero.
The number of attempts possible, both before and after the LastTry (5278879) code is entered, can be set (in
Admin Mode) between 2 and 10 attempts.
Setting the before/after attempts to the minimum of two would allow for a total of four attempts (two before
entering the LastTry code and two after). To program the number of Brute-Force attempts allowed:
1. Enter the Admin mode. (Hold + 0 for five seconds; with the red LED blinking, enter the Admin PIN
and press the button.) The blue LED will glow solidly.
2. Press and hold the + 5 button for three seconds. The red LED will double-blink.
3. Press the number of before/after attempts desired on the numeric keypad (2-9). The green LED will
blink the same number of times to correspond to the number you have entered.
lFor example: the 8 button will result in eight blinks, and yield eight attempts before the LastTry
code and another eight attempts after, yielding a total of 16.
4. To return the device to its default setting, press the 1 key, followed by the 0 key, to change the number
back to ten attempts.
NOTE: The number of before and after attempts are the same, i.e., 4 before / 4 after, 8 before / 8 after, etc.
[5.3] UNATTENDED AUTO-LOCK
To protect against unauthorized access if the device is unlocked and unattended, the USBBackup HSM can be
set to automatically lock after a predetermined period of inactivity.
USER GUIDE | USBBACKUP HSM
Page 12 of 31
In its default state, the USBBackup HSM’s Unattended Auto-Lock feature is turned off. However, the
Unattended Auto-Lock can be set to activate after 5, 10, or 20 minutes of inactivity.
To set the Unattended Auto-Lock, perform the following steps:
1. Enter the Admin mode by holding + 0 for five seconds. With the red LED blinking, enter the Admin
PIN and press the button. The blue LED will glow solidly.
2. Once in the Admin mode, press + 6. The red and blue LEDs will blink alternately.
3. Press one of the numbers below that corresponds to the amount of inactivity you would like the device
to lock itself:
l0= OFF (default)
l1= 5 minutes
l2= 10 minutes
l3= 20 minutes
4. After you have entered the desired amount of allowable inactivity, the green LED will blink three times
indicating command acceptance, and then will return to the Admin mode, indicated by the blue LED
glowing solidly.
USER GUIDE | USBBACKUP HSM
Page 13 of 31
[6] SPECIAL MODES
[6.1] ONE-TIME-USE RECOVERY PINS
The Admin has the ability to set Recovery PINs that will allow a User to access data on the USB Backup HSM in
the event of a forgotten PIN by creating a new state of User Forced Enrollment in which a new User PIN can be
established without wiping any data off of the drive. The Admin can establish up to four single-use Recovery
PINs; once a Recovery PIN has been used to access the USB Backup HSM, it will no longer be available for
future recovery efforts.
NOTE: The Recovery PIN will not unlock the device, but will place the USB Backup HSM into a User Forced
Enrollment state, where the User can then establish a new User PIN which will then grant access the Key’s
data.
Setting Recovery PINs
1. Enter the Admin mode. (Hold + 0 for five seconds. With the red LED blinking, enter the Admin PIN
and press the button.) The blue LED will now glow solidly.
2. Press the + 8 buttons together. The green LED will blink three times by itself, and then will be joined
by a solid blue LED.
3. Enter the Recovery PIN and press the button. If the PIN is accepted, the green LED will blink three
times.
4. Repeat by entering that same Recovery PIN and pressing the button again. If PIN is accepted for the
final time, the green LED will blink three times and the USB Backup HSM will then return to the Admin
mode indicated by a solid blue LED.
5. To add more Recovery PINs, repeat steps 2-4. When finished, press the button to return device to its
standby mode.
Using a Recovery PIN
Deploying a Recovery PIN will put the USB Backup HSM into a state of User Forced Enrollment and that
recovery PIN will no longer be useable. Additionally, once in a state of User Forced Enrollment, the previous
User PIN will no longer be recognized as a valid PIN for drive authentication and a new User PIN must be
created.
1. With the USB Backup HSM in Standby mode, press and hold the + 7 buttons together for five seconds
and release once the red LED starts blinking.
2. Enter a recovery PIN (from Admin) and press the button. The green LED will blink three times by
itself, and then will be joined by a solid blue LED indicating the device is in User Forced Enrollment
mode.
3. Enter a new User PIN and press the button. The green LED will blink three times if accepted.
4. Re-enter that same new User PIN and press the button again to verify it. If accepted, the green LED
will blink three times and then the USB Backup HSM will return to its Standby state, indicated by the red
LED glowing steadily. The USB Backup HSM will now be accessible using this new User PIN.
USER GUIDE | USBBACKUP HSM
Page 14 of 31
[6.2] SETTING READ-ONLY OR READ/WRITE MODES
With a large number of viruses and Trojans that attach themselves to USB devices, the Read-Only feature is
especially useful if you need to access data on the device when used in a public setting. Additionally, Read-
Only is an important feature for forensic applications, where data must be preserved in its original, unaltered
state and can’t be overwritten or modified.
Admin Mode
The Admin can set the device to a Read-Only mode for both the Admin and the User. When set by the Admin,
the Admin is the only one that can change the device back to Read / Write mode.
When the device is unlocked in Read-Only mode and inserted into a USB port, the green LED will glow solidly
and the red LED will blink once every three seconds.
To set the USBto Read-Only:
1. Enter the Admin mode. (Hold + 0 for five seconds – with red LED blinking, enter the Admin PIN and
press the button.) The blue LED will glow solidly.
2. Press and hold the R + O (7 + 6) buttons together until the green LED blinks three times.
3. The device will return to Admin mode indicated by the blue LED glowing solidly.
4. Until changed, the device can only be read.
To return the USBto Read / Write:
1. Enter the Admin mode. (Hold + 0 for five seconds – with the red LED blinking, enter the Admin PIN
and press the button.) The blue LED will glow solidly.
2. Press and hold the R + W (7+ 9) buttons together until the green LED blinks three times.
3. The device will return to Admin mode, indicated by the blue LED glowing solidly and the device will be
restored to its normal Read / Write condition.
NOTE: Setting the device to Read/Write from the Admin mode will globally override a Read-Only mode that
has been set by the User.
User Mode
NOTE: When changing Read-Only or Read / Write settings, do not make these changes with the device
attached to an operating system. This may cause confusion within the operating system about the proper
status of the device, and the device may not function properly until the operating system has been restarted.
This mode will allow the User to set the Read / Write status of the device, without having access to the Admin
functions.
When the device is unlocked in Read-Only mode and inserted into a USB port, the red LED will blink once
every three seconds while the green LED will glow solidly.
If the device is set to be Read-Only in the Admin mode, the User cannot override that setting. Only the Admin
can return the device to Read / Write Mode.
To Set the device to Read-Only:
USER GUIDE | USBBACKUP HSM
Page 15 of 31
1. Press the button to wake the device. The red LED will glow solidly.
2. Press the R + O (7 + 6) buttons together for three seconds. The green LED will blink three times.
3. Enter the User / Admin PIN and press . The green LED will blink rapidly whenever the HSM is
connected to USB port.
4. The HSM will be in a Read-Only state the next time it is unlocked.
To Return the HSM to Read / Write:
1. Press the button to wake the device. The red LED will glow solidly.
2. Press the R + W (7+ 9) buttons together for three seconds. The green LED will blink three times.
3. Enter the User / Admin PIN and press . The green LED will glow solidly whenever the USB Backup
HSM is connected to a USB port.
4. The device will return to unlocked mode and can now be written to, indicated by the blinking green LED.
NOTE: Setting the device to Read/ Write from the User mode will not override a Read-Only setting that was
placed by the Admin. To set the device to Read-Only mode for both the User and the Admin, set the Read-Only
Mode using the Admin function.
[6.3] LOCK OVERRIDE MODE
Certain users may encounter a case where they need the device to remain unlocked during a reboot, passing
the device through a virtual machine or other similar situation which, under normal circumstances, would
cause the device to lock.
To help facilitate this type of usage, Lock-Override Mode will allow the device to remain unlocked through
USB port re-enumeration, and will not lock again until USB power is interrupted.
NOTE: When in this mode, the device is vulnerable to being moved from one computer and connected to
another computer, provided USB power is uninterrupted. Due to this vulnerability, we strongly recommend
that this mode be used only in circumstances where the device can be physically secured (as in a locked server
room) or in a place where it can be visually monitored while in this mode. Use of a powered hub or a Y-cable
increases this security risk.
Always return the device to the default Lock-Override Mode OFF when returning to normal service.
To set the “Lock-Override” to On:
1. Enter the Admin Mode (Press and hold + 0 for five seconds until the red LED blinks, then enter the
Admin code and press the button.) The blue LED will glow solidly.
2. Press the 7 + 1 together until the green LED blinks three times, followed by the blue LED glowing solidly.
3. When the device is unlocked and attached to a USB port in “Lock-Override Mode”, the blue LED will
blink once every three seconds to alert you that the “Lock-Override” mode is active.
NOTE: If “Unattended Auto-Lock” mode has been turned on, “Lock-Override” will not override it; the device
will lock itself upon reaching the selected amount of inactivity. If you need the device to stay unlocked, Enter
the Unattended Auto-Lock Feature and set the lock timer to “0” (0 = OFF).
To turn Lock-Override Mode off and return to normal operation:
USER GUIDE | USBBACKUP HSM
Page 16 of 31
1. Enter the Admin Mode.
2. Press the 7 + 0 together until the green LED blinks three times, followed by the blue LED glowing solidly.
3. To verify, unlock the device in User mode and check that the blue LED is no longer blinking.
[6.4] DIAGNOSTIC MODE
The keypad has a manual diagnostic mode built-in to verify proper keypad function and troubleshooting device
issues.
This mode will not allow access to any data or admin function. It can only be used to identify the firmware
level and to test button recognition.
To enter the diagnostic function:
1. Press , then press + 1, release, then press and continue to hold the 0 button as the red and blue
LEDs blink alternately. Once all three LEDs illuminate solidly, release the 0 button.
2. The blue LED will blink a number of times to represent the number of both the major and minor
revisions. The decimal point will be represented by a single red LED blink. Upon completion, the blue
LED will glow solidly. (Example: VERSION 4.1 would be indicated by four blue LED blinks, one red LED
blink, one blue LED blink, and one red LED blink, then revert to the blue LED glowing solidly.)
3. To check the keypad’s button functionality, press each button and the number of the button pressed will
be expressed by the red LED blinking. For example:
l1 Button= 1 blink
l2 Button = 2 blinks
l3 Button = 3 blinks
l0 Button = 10 blinks
lButton = 11 blinks
lButton = 12 blinks
4. To exit the Diagnostic Mode, wait for the 20 second timeout, or hold the Lock Button for about 7
seconds, to return the device to its normal operation.
Self-Diagnostics
During the initial power up, after the device has been plugged into a USB port, the device will perform self-
diagnostics on the encryption algorithm and critical hardware components. If the red LED blinks at a rate of
one blink per second for 15 seconds, returns to standby and will not unlock, unplug the device from USB port
and try again. If the red LED continues to blink in the manner mentioned above and won’t unlock upon USB re-
insertion, a critical component has failed and the device can no longer function.
If the device blinks a triple-red LED pattern that is repeated every two seconds when unlocked, a failure has
occurred that will not immediately stop the device from working nor affect the security of the device, but
should be considered as a warning that the device needs to be replaced in the near future. Additionally, Admin
features may be limited in this mode.
If either condition should appear, remove the device from the USB port and allow the device to go to sleep,
and try to unlock the device again. The event of either diagnostic failure will be very rare, but if the device
USER GUIDE | USBBACKUP HSM
Page 17 of 31
cannot recover, it must be replaced.
USER GUIDE | USBBACKUP HSM
Page 18 of 31
[7] DEVICE RESET
There may be circumstances (forgotten PIN, redeployment, return to factory default settings) when you need
to completely reset the device. The complete reset feature will perform a crypto-erase on the device,
generate a new encryption key, delete all users and formatting, and will return all of the settings to factory
default.
To perform a complete reset of the device, do the following:
1. Press and hold + + 2 together for ten seconds. The red and blue LEDs will blink alternately.
2. The green and red LEDs will glow solidly for several seconds, followed by the green LED glowing solidly
for several seconds, followed finally by the green and blue LEDs glowing solidly which indicates that the
reset is complete.
3. A new Admin PIN will need to be entered, and the device will need to be reformatted before it can be
used again.
lFor setting up a new Admin PIN, see the section on "Setting up the AdminPIN" on page5.
lFor formatting the device, see the section on "Formatting the USBBackup HSM" on page7.
USER GUIDE | USBBACKUP HSM
Page 19 of 31
[8] USING WITH AN HSM
The USBBackup HSMcan be used with Vectera Plus, Excrypt SSP Enterprise V2, and Excrypt Plus HSMs, to
safely store backups of keys and configuration settings, and to allow users to restore from those backups.
[8.1] BACKING UP AND RESTORING DATA
HSMconfiguration data can be backed up to the USBBackup HSM, and restored using the Backup Config and
Restore Config buttons. In addition, keys can be saved or imported using the Backup Keys and Restore Keys
buttons.
Backing Up Configuration Data
1. Unlock the USBBackup HSM, and connect it to a computer running Excrypt Manager.
2. In Excrypt Manager, select the Maintenance tab on the left toolbar.
3. Under the Backup and Restore heading, click Backup Config to save the configuration data.
4. The Backup device to file window will open.
FIGURE: BACKUP DEVICE TO FILE WINDOW
lThe window will display the Checksum of the currently loaded Backup Key, or No Backup Key
loaded.
lIf a Backup Key has not yet been loaded, continue through the process of loading the key through
the key wizard or M of N fragments.
lIf a key has already been loaded, the Replace Backup Key button can be clicked if desired,
allowing you to use an alternate backup key.
lClick Next. The Select File window will open. Click Browse, browse to the USBBackup HSM, and
enter a file name. Once done, click Open.
lClick Next. The Transferring window will open and display a progress bar.
lClick Finish to exit the window.
5. Once the operation is completed, disconnect the USBBackup HSMfrom the computer.
USER GUIDE | USBBACKUP HSM
Page 20 of 31
Restoring Configuration Data
To restore configuration settings into the HSM from a file:
1. Unlock the USBBackup HSM, and connect it to a computer running Excrypt Manager.
2. In Excrypt Manager, select the Maintenance tab on the left toolbar.
3. Under the Backup and Restore heading, click Restore Config to save the configuration data.
4. The Restore device from image file window will open.
lThe window will display the Checksum of the currently loaded Backup Key, or No Backup Key
loaded.
lIf a Backup Key has not yet been loaded, continue through the process of loading the key through
the key wizard or M of N fragments.
lIf a key has already been loaded, the Replace Backup Key button can be clicked if desired,
allowing you to use an alternate backup key.
lClick Next. The Select File window will open. Click Browse, browse to the USBBackup HSM,
highlight the backup file, then click Open.
lIf desired, you can also choose to Restore device specific network settings and Reboot
device after a successful restore.
lClick Next. The Transferring window will open and display a progress bar.
lClick Finish to exit the window.
5. Once the operation is completed, disconnect the USBBackup HSMfrom the computer.
Backing Up Keys
NOTE: As with the MFK, the loading of the backup key may be performed through M of N fragmentation or via
the key wizard.
NOTE: The backup key must be as strong as all entries in the key table, and can be either AES, DES, or 3DES.
NOTE: Key backups include all PKI keys, symmetric keys, RSA keys, certificates, and CRLs.
1. Unlock the USBBackup HSM, and connect it to a computer running Excrypt Manager.
2. In Excrypt Manager, select the Maintenance tab on the left toolbar.
3. Click the Backup Keys button to back up the HSM's keys only.
lThe window will display the Checksum of the currently loaded Backup Key, or No Backup Key
loaded.
lIf a Backup Key has not yet been loaded, continue through the process of loading the key through
the key wizard or M of N fragments.
lIf a key has already been loaded, the Replace Backup Key button can be clicked if desired,
allowing you to use an alternate backup key.
lClick Next. The Select File window will open. Click Browse, browse to the USBBackup HSM, and
enter a file name. Once done, click Open.
lClick Next. The Transferring window will open and display a progress bar.
lClick Finish to exit the window.
4. Once the operation is completed, disconnect the USBBackup HSMfrom the computer.
Table of contents
Popular Firewall manuals by other brands
Fortinet
Fortinet FortiGate FortiGate-100A install guide
Fortinet
Fortinet FortiGate 5020 Chassis guide
NETGEAR
NETGEAR FVS336G - ProSafe Dual WAN Gigabit Firewall installation guide
Watchguard
Watchguard Firebox NV5 quick start guide
Draytek
Draytek Vigor2860 Series user guide
ADTRAN
ADTRAN NetVanta 2050 Specifications
Fortinet
Fortinet FortiGate 3000 installation guide
Fortinet
Fortinet FortiGate FortiGate-800 install guide
NETGEAR
NETGEAR SRXN3205 - ProSafe Wireless-N VPN Firewall Wireless... installation guide
Forcepoint
Forcepoint V5000 G4 quick start guide
Hirschmann
Hirschmann EAGLE 20 Series Reference manual
Allied Telesis
Allied Telesis AT-AR4050S-5G installation guide
