Under certain circumstances, you may need to refresh autostart for databases with HSM security.

If your database has HSM authentication enabled for TDE, database startup fails if HSM was enabled while the database was configured for user or admin autostart and the HSM administrator changed the PIN for the token.

In this situation, PROUTIL returns an error after you enter the wrong PIN: 

$ proutil sports2020 -C epolicy manage autostart refreshhsm -Passphrase -Pin

Enter the key store passphrase for database db1 :                               

Enter the HSM pin for database db1 :
Key Store Admin Privileges are required for this operation, 2, EPolicy. (15746)
EPolicy: Encryption policy management failed -1

Use the REFRESHHSM utility to refresh the token and repair autostart. For example: 


proutil sports2020 -C epolicy manage autostart RefreshHSM -Passphrase -Pin

Enter the key store passphrase for database db1 :                               

Enter the HSM pin for database db1 :
Epolicy Manage Autostart RefreshHSM completed successfully. (20155)

If the REFRESHHSM utility requires a passphrase and PIN, and you fail to supply them, the utility returns errors like these:

$ proutil db1 -C epolicy manage autostart refreshhsm
This command requires an available PIN to update the HSM autostart configuration. (20365)
Epolicy Manage Autostart RefreshHSM failed. (20154)
EPolicy: Encryption policy management failed -21827

Similarly, if you enter the user passphrase when the admin passphrase is needed, errors like the following display:

$ proutil db1 -C epolicy manage autostart refreshhsm -Passphrase -Pin

Enter the key store passphrase for database db1 :                               

Enter the HSM pin for database db1 :
Key Store Admin Privileges are required for this operation, 2, EPolicy. (15746)
EPolicy: Encryption policy management failed -1