Document how to destroy log keys
We should also document the procedure to destroy a log's private key when the log is shut down. One should be able to rely on valid sigsum proofs involving the log, for some time after the log has been shut down, which requires that the key is not exposed later on.
With the HSM key storage, I don't think we want to physically destroy related HMS, but we want to do things like
- For the online HSMs, revoke auth keys related to the use of the keys and/or destroy copies of related passphrases and/or factory reset the HSM.
- For the backup HSMs, ask it to destroy the key material, and/or make the key no longer exportable.