# Getting started with Snow Family devices
With an AWS Snowball Edge device, you can access the storage and compute power of the AWS Cloud locally and cost effectively in places where connecting to the internet might not be an option. You can also transfer hundreds of terabytes or petabytes of data between your on-premises data centers and Amazon Simple Storage Service (Amazon S3).
**Topics**
+ [Cancelling a job to order a Snow Family device](cancel-job-order.md)
+ [Receiving the Snow Family device](receive-device-sw.md)
+ [Getting your credentials and tools](get-credentials.md)
+ [Downloading and installing the Snowball Edge client](download-the-client.md)
+ [Bind the hardware security module to the Snow device](bind-hsm.md)
+ [Unlocking the device](unlockdevice.md)
+ [Access Snow device and AWS service guides online](docs-online.md)
+ [Powering off the device](turnitoff.md)
+ [Emergency shutdown](emergency-power.md)
+ [Returning the device](return-device.md)
# Cancelling a job to order a Snow Family device
After creating a job to order a Snow Family device, you can cancel the job through the AWS Snow Family Management Console. If you cancel the job, you won't receive the device you ordered. You can only cancel the job while the job status is *Job created*. After the job progresses past this status, you cannot cancel the job.
1. Log in to the [AWS Snow Family Management Console](https://console.aws.amazon.com/snowfamily/home).
1. Choose the job to cancel.
1. Choose **Actions**. From the menu that appears, choose **Cancel job**.
![\[AWS Snow Family Management Console with job selected and Actions menu showing Cancel job.\]](http://docs.aws.amazon.com/snow/latest/swsbe-pack/images/cancel-job-console.png)
1. The **Cancel job** window appears. To confirm cancelling the job, enter the **job name** and choose **Cancel job**. In the list of jobs, **Cancelled** appears in the **Status** column.
![\[Cancel job window.\]](http://docs.aws.amazon.com/snow/latest/swsbe-pack/images/cancel-job-window-console.png)
# Receiving the Snow Family device
**Important**
Snow Family devices are the property of AWS. Tampering with a Snow device is a violation of the AWS Acceptable Use Policy.
**Topics**
+ [Verify your hardware](#verify-hardware)
+ [Setting up a Snowball Edge](#receive.swsbe)
+ [Connecting to your local network](#getting-started-connect)
## Verify your hardware
Verify the hardware you've received against the information in the following table. Contact Support if there is a discrepancy.
**Snowball Edge hardware**
| Item | Quantity |
| --- | --- |
| Snowball Edge | 1 |
| Power cable | 1 |
## Setting up a Snowball Edge
When you receive the Snowball Edge, you might notice that it doesn't come in a box. The device is its own physically rugged shipping container. When the device first arrives, inspect it for damage or obvious tampering. If you notice anything that looks suspicious about the device, don't connect it to your internal network. Instead, contact AWS Support and inform them of the issue so that a new device can be shipped to you.
**Important**
The Snowball Edge is the property of AWS. Tampering with an Snowball Edge is a violation of the AWS Acceptable Use Policy.
The device looks like the following image.
![\[Snowball Edge device showing front panel and top of device with E ink screen.\]](http://docs.aws.amazon.com/snow/latest/swsbe-pack/images/SnowballEdgeAppliance.png)
## Connecting to your local network
### Connect your Snowball Edge to your local network
Using the following procedure, you connect the Snowball Edge to your local network. The device doesn't need to be connected to the internet. The device has three doors: a front, a back, and a top.
**To connect the device to your network**
1. Open the front and back doors, sliding them inside the device door slots. Doing this gives you access to the touch screen on the LCD display embedded in the front of the device, and the power and network ports in the back.
1. Open the top door and remove the provided power cable from the cable nook, and plug the device into power.
1. Choose one of your RJ45, SFP\$1, or QSFP\$1 network cables, and plug the device into your network. The network ports are on the back of the device.
1. Power on the Snowball Edge by pressing the power button above the LCD display.
1. When the device is ready, the LCD display shows a short video while the device is getting ready to start. After about 10 minutes, the device is ready to be unlocked.
1. (Optional) Change the default network settings through the LCD display by choosing **CONNECTION**.
You can change your IP address to a different static address, which you provide by using the following procedure.
**To change the IP address of an Snowball Edge**
1. On the LCD display, choose **CONNECTION**.
A screen appears that shows you the current network settings for the Snowball Edge. The IP address below the drop-down box is automatically updated to reflect the DHCP address that the Snowball Edge requested.
1. (Optional) Change the IP address to a static IP address. You can also keep it as is.
The device is now connected to your network.
**Important**
To prevent corrupting your data, don't disconnect the Snowball Edge or change its connection settings while it's in use.
# Getting your credentials and tools
Each job has a set of credentials that you must get from the AWS Snow Family Management Console or the job management API to authenticate your access to the Snow device. These credentials are an encrypted manifest file and an unlock code. The manifest file contains important information about the job and the permissions associated with it.
**Note**
You get your credentials after the device has been provisioned.
**To get your credentials using the console**
1. Sign in to the AWS Management Console, and open the [AWS Snow Family Management Console](https://console.aws.amazon.com/snowfamily/home).
1. On the console, search the table for the specific job to download the job manifest for, and then choose that job.
1. Expand that job's **Job status** pane, and choose **View job details**.
1. In the details pane that appears, expand **Credentials** and then do the following:
+ Make a note of the unlock code (including the hyphens), because you need to provide all 29 characters to transfer data.
+ In the dialog box, choose **Download manifest**, and follow the instructions to download the job manifest file to your computer. The name of your manifest file includes your **Job ID**.
**Note**
We recommend that you don't save a copy of the unlock code in the same location in the workstation as the manifest for that job.
Now that you have your credentials, the next step is to download the Snowball Edge client, which is used to unlock the device.
**Next:** [Downloading and installing the Snowball Edge client](download-the-client.md)
# Downloading and installing the Snowball Edge client
Download the Snowball Edge client for your operating system:
+ **Microsoft Windows**:
+ **Linux**:
+ **macOS**:
**Next:** [Bind the hardware security module to the Snow device](bind-hsm.md)
# Bind the hardware security module to the Snow device
Each Snow device can be bound to one hardware security module (HSM) to secure and encrypt the data on the Snow device.
To complete this procedure, you will need:
+ A Snowball Edge client
+ The IP address to assign to the HSM.
+ The path to, and file name of the certificate file on the HSM.
+ The path to, and file name of the private key file on the HSM.
**Topics**
+ [Enable certificate‐based login](#enable-cert-login)
+ [Generate a certificate and private key](#gen-cert-key)
+ [Bind a Snow device to the hardware security module](#bind-sw-device)
## Enable certificate‐based login
1. Using a Web browser, connect to the device and log in.
1. Choose **Access Management**, then choose **Users.**
1. For the user account **admin**, choose its action button then choose **Manage**.
1. Choose **CONFIGURE CERTIFICATE LOGIN**. Choose **Allow user to login using certificate**.
1. In the **Certificate Subject Distinguished Name** field, enter a common name. For example, **CN=*myCNName***.
**Note**
The common name used here will be used when generating certificate. Remember the common name.
1. Choose **Update Certificate Login**.
## Generate a certificate and private key
1. Using a Web browser, connect to the device and log in.
1. Choose **CA** then **Local**.
1. Choose **Go to existing local CA**.
1. Choose **Issue Certificate**
1. Enter the common name for this certificate. Ensure that the common name is the same as used when you [created the common name](#common-name).
1. Choose **RSA** as the algorithm and **4096** as the size.
1. In the **Name** field, make the same entry as for the **Certificate Subject Distinguished Name**.
1. Choose **Issue Certificate**.
1. Choose **Save private key** to download the **key.pem** file.
1. Choose **Issue Certificate**. The newly‐created certificate appears in the certificates list.
## Bind a Snow device to the hardware security module
Run the `snowballEdge bind-device` command.
```
snowballEdge bind-device
--device-id:unique_id_of_key_management_device /
--certificate file://certificate.pem /
--private-key file://key.pem /
--ip-address "IP address of key management device"
```
When the command is successful, it produces the following output:
```
bind-device with successful.
```
**Example of snowballEdge bind-device Command**
```
snowballEdge bind-device
--device-id:k570
--certificate file://path/to/certificate.pem
--private-key file://path/to/key.pem
--ip-address "192.158.1.38"
```
**Next:** [Unlocking the device](unlockdevice.md)
# Unlocking the device
To unlock the Snow device, run the `snowballEdge unlock-device` command. To run this command, the Snow device that you use for your job must be on-site, plugged into power and network, and turned on.
In addition, the LCD display on the front of the Snowball Edge must indicate that the device is ready for use
**To unlock the device with the Snowball Edge client**
1. Get your manifest and unlock code.
1. Download a copy of the manifest from the AWS Snow Family Management Console. Your job's manifest is encrypted so that only the job's unlock code can decrypt it. Make a note of the path to the manifest file on your local server.
1. Get the unlock code, a 29-character code that also appears when you download your manifest. We recommend that you write down the unlock code and keep it in a separate location from the manifest that you downloaded, to prevent unauthorized access to the device while it’s at your facility.
1. Find the IP address for the device on the LCD display of the Snowball Edge, under the **Connections** tab. Make a note of that IP address.
1. Run the `snowballEdge unlock-device` command to authenticate your access to the device with the endpoint of the device and your credentials, as follows.
```
snowballEdge unlock-device --endpoint https://ip address --manifest-file /Path/to/manifest/file --unlock-code
29 character unlock code
```
Following is an example of the command to unlock the Snow device.
```
snowballEdge unlock-device --endpoint https://192.0.2.0 --manifest-file /Downloads/JID2EXAMPLE-0c40-49a7-9f53-916aEXAMPLE81-manifest.bin --unlock-code 12345-abcde-12345-ABCDE-12345
```
In this example, the IP address for the device is `192.0.2.0`, the job manifest file that you downloaded is `JID2EXAMPLE-0c40-49a7-9f53-916aEXAMPLE81-manifest.bin`, and the 29-character unlock code is `12345-abcde-12345-ABCDE-12345`.
When you've entered the preceding command with the right variables for your job, you get a confirmation message. This message means that you're authorized to access the device for this job.
Now you can begin using the device.
# Access Snow device and AWS service guides online
Now that your device is set up, you can access Snow device and AWS service guides online to learn about service features. Navigate to the address below in your browser or use the QR code.
**[https://docs.jwcc.aws.amazon.com/](https://docs.jwcc.aws.amazon.com/)**
![\[QR code containing the AWS logo, likely linking to AWS documentation website.\]](http://docs.aws.amazon.com/snow/latest/swsbe-pack/images/qrcode_sw_docs.png)
# Powering off the device
When you've finished using the device, prepare it to return to AWS.
When all communication with the device has ended, turn it off by pressing the power button located above the LCD screen. It takes about 20 seconds for the device to shut down. While the device is shutting down, the LCD screen displays a message indicating the device is shutting down.
![\[Shutdown message on LCD screen.\]](http://docs.aws.amazon.com/snow/latest/swsbe-pack/images/shutdown-screen.png)
**Note**
If the LCD screen is displaying the shutdown message when the device is not actually being shut down, press the **Restart display** button on the screen to return the screen to normal operation.
![\[Shutdown message on LCD screen with Restart display button near bottom center.\]](http://docs.aws.amazon.com/snow/latest/swsbe-pack/images/shutdown-screen-restart.png)
# Emergency shutdown
Use this procedure to turn the equipment off during an emergency, such as fire, water, smoke, or hazard to personnel.
**Important**
Do not turn off the Snowball Edge device by unplugging the power cable from the device or the power cable from the power source while the device is operating. Loss of data may occur.
**To shut down a Snowball Edge device in an emergency**
1. Press and release the power button located above the LCD screen. It takes about 20 seconds for the device to shut down. While the device is shutting down, the LCD screen displays a message indicating the device is shutting down.
![\[Shutdown message on LCD screen.\]](http://docs.aws.amazon.com/snow/latest/swsbe-pack/images/shutdown-screen.png)
1. After the device has shut down, disconnect the device power cable from the power source.
**To shut down a hardware security module in an emergency**
+ Unplug both power cables from the device or both power cables from the power source.
# Returning the device
The prepaid shipping label on the E Ink display contains the correct address to return the Snowball Edge.
The device is delivered to an AWS sorting facility and forwarded to the AWS data center. The carrier automatically reports back a tracking number for your job to the AWS Snow Family Management Console. You can access that tracking number, and also a link to the tracking website, by viewing the job's status details in the console, or by making calls to the job management API.
**Important**
Unless personally instructed otherwise by AWS, never affix a separate shipping label to the device. Always use the shipping label that is on the E Ink display.
In addition, you can track the status changes of your job through the AWS Snow Family Management Console. You can use Amazon SNS notifications if you selected that option during job creation, or you can make calls to the job management API. For more information about this API, see [AWS Snowball Edge API Reference](https://docs.aws.amazon.com/snowball/latest/api-reference/api-reference.html).
The hardware security module must also be returned. Before returning it, decommission it to remove the cryptographic information used to secure it. See [Decomission the hardware security module](#decom-hsm). Then, contact Support for instructions to return it.
## Decomission the hardware security module
1. Use secure shell to connect to the device.
1. Use the `/usr/safenet/lunaclient/bin/lunacm` command to access the device's command line utility. Then, use the `hsm login` command to log in to the device.
1. Use the `/usr/safenet/lunaclient/bin/lunacm` command to access the device's command line utility., Then, use the `hsm factoryRestore` command to restore the unit to default settings.
1. Use secure shell to connect to the device again.
1. Use the `ssh -i default_key ksadmin@HSM_IP` command to use the default key.
1. Use the `/usr/safenet/lunaclient/bin/lunacm` command to access the device's command line utility. Then, use the `hsm system factory-reset` to reset the device.
**Important**
The `system factory-reset` command totally wipes the hardware security module. After running the command, you will not be able to access any Snow devices bound to it and the data on them will be lost.
1. After the device is reset, power it off, disconnect cables, and remove it from the rack.
## Disconnecting the device
Disconnect the Snowball Edge cables. Secure the device's power cable into the cable nook beneath the top door on the device.
Pull out and close the front and back doors. When they close completely, you hear an audible click. When the return shipping label appears on the E Ink display on top of the device, it's ready to be returned.