Primus HSM - Key Invalidation

Key Invalidation is a default Primus HSM feature which prevents accidental deletion of key by the API.

When enabled, deletion of keys instead invalidates them, creating a 'shadow copy' of the deleted key. The client application will not be able to fully delete keys via the API and instead, the keys will be placed in a "trash bin". Key Invalidation can be activated at device level (crypto policy) and per User security.

Invalidated keys remain on the Partition until deleted or reactivated. The SO or PSO in charge of the Partition must manually remove the invalidated keys, or in case of accidental deletion, reactivate the individual key(s). For both removal and reactivation, it is necessary to export, modify and import a list of the key names via the USB stick.

Reactivation of keys automatically calculates and creates the public key with the same label (and the "mirrored" capabilities) if the public key does not exist.

Invalidated keys are still present on the Partition, hence creating a new key with the same label will fail. Regularly remove or reactivate the invalidated keys to ensure your Partition size can accommodate enough keys.

Once invalidated keys are removed, they cannot be retrieved unless restored from a backup that contained them.