Backing Up k570 Root of Trust Keys
The Thales CipherTrust Manager k570 appliance embeds a Luna PCIe HSM, to act as root of trust, storing root of trust keys in a partition.
For redundancy, you can backup the root of trust keys from a Luna PCIe HSM to a Luna Backup HSM. You can then restore the root of trust keys on to a different Thales CipherTrust Manager k570 appliance to meets the required configuration.
Note
The steps documented on this page are specific to Thales CipherTrust Manager k570 appliances. Contact Trusted Cyber Technologies customer support for help performing this operation with the TCT CipherTrust Manager k570 appliance.
Supported Luna Backup HSMs are:
Luna Backup HSM 7 v1
Luna Backup HSM 7 v2
Luna Backup HSM G5
If you have upgraded the PCIe HSM firmware, make sure the Backup HSM has a version compatible with HSM firmware 7.7.0 or higher
The steps depend on whether the k570 PCI HSM is password-authenticated or PIN Entry Device(PED)-authenticated. The prerequisites and required target Thales CipherTrust Manager configuration are the same for both authentication types.
Prerequisites
You require
ksadmin
level access to the CipherTrust Manager with an SSH key.Obtain Luna HSM Client from the Thales customer support portal.
We recommend version 10.4.0 or higher, for full compatibility with all Luna Backup HSM models and the k570.
Make sure the target CipherTrust Manager k570 to be restored to meets the required configuration.
Caution
Failing to meet the required target Thales CipherTrust Manager k570 configuration can result in the CipherTrust Manager application becoming unavailable after reboot, requiring customer support to recover.
Required Target Thales CipherTrust Manager k570 Configuration
Before you can restore keys into a CipherTrust Manager k570 appliance, you must ensure that there are no root of trust keys already present on the Luna PCI HSM.
New k570 Appliance
For a new k570 appliance which has never been deployed:
Proceed with Thales CipherTrust Manager k570 physical appliance deployment, including initializing the Luna PCIe HSM partition.
Do not setup the root of trust HSM before restoring root of trust keys.
If you have set up the root of trust HSM, follow the steps for existing k570 appliance.
Existing k570 Appliance
For a k570 which has a root of trust HSM configured, or has ever contained data such as keys or users:
Perform a system backup to retain any keys or users. Do not use the tied to HSM option.
Perform a system reset of the appliance.
As the Crypto Officer, log into the partition and delete any keys remaining on the Luna PCIe HSM partition.
SSH in as ksadmin, and execute "
/usr/safenet/lunaclient/bin/lunacm
" utility.Find and login to the User Token Slot.
lunacm:> slot list
Notice the slot with the slot description "User Token Slot".
lunacm:> slot set -slot <slot number of user-token-slot>
Login as the Crypto Officer.
lunacm:> role login –name co
Clear all the keys present in the partition. You are prompted to confirm.
lunacm:> partition clear
List the partition contents to make sure there are no objects remaining.
lunacm:> partition contents
Exit the
lunacm
utility.
Backup and Restore for Password-Authenticated HSM
After you have fulfill the prerequisites, the high level workflow is for password-authenticated HSM is:
Establish connections between all the devices, client workstation, source k570, and Luna Backup HSM.
Establish connections between all the devices, client workstation, target k570, and Luna Backup HSM.
Required Network Setup
With the Luna PCIe HSM and a LunaCM client embedded in the Thales CipherTrust Manager k570 appliance and hardened USB access, backup and restore requires a specific networking setup for all components.
You must install the Remote Backup Server (RBS) on a workstation. RBS acts as a client to the Luna Backup HSM, and the Luna PCIe HSM acts as a client to RBS. RBS connects to the Luna Backup HSM through a local USB connection. The k570 PCIe HSM uses the vtl utility to connect to RBS over port 1792.
Establish connections between all devices
Use the provided USB cable to connect the Luna Backup HSM to the client workstation.
Install Luna HSM Client on your client workstation, including the Backup component.
Find the rbs program included in the Luna client installation.
The default path on Windows is
C:\Program Files\SafeNet\LunaClient\rbs.exe
, and the default path on Linux is/usr/safenet/lunaclient/rbs/bin
.Run the command
rbs --config
to select the Luna Backup HSM device.When you have specified your selection, enter X to exit the configuration tool.
If a server key and password don't exist for RBS, generate a new key with command
rbs --genkey
and enter a new RBS password when prompted.The certificate is generated at the following locations:
Linux/UNIX:
<LunaClient_install_directory>/rbs/server/server.pem
Windows:
<LunaClient_install_directory>\cert\server\server.pem
Start the rbs server on port 1792 with the command
rbs s -port 1792
. Enter the RBS password that you created in the previous step.Securely transfer the
server.pem
certificate on the client workstation to the CipherTrust Manager k570 usingscp
. The certificate is located atC:\Program Files\SafeNet\LunaClient\certs\server\
.SSH into the CipherTrust Manager k570 as ksadmin.
Change into the directory containing the vtl utility. The vtl utility is located at
/usr/safenet/lunaclient/bin
.Use vtl to connect the Luna PCIe HSM to the RBS client workstation.
./vtl addserver -n <client_workstation_ip_address> -c <path_to_the_server.pem>
Verify the Luna Backup HSM is visible with vtl.
./vtl listservers
Back up the Root of Trust Keys
Establish connections between all the devices, client workstation, source k570, and Luna Backup HSM.
Still in an SSH session as ksadmin, execute "
/usr/safenet/lunaclient/bin/lunacm
" utility.Identify the three visible slots, and note the displayed
Slot Id
for each slot. TheSlot Description
field indicates each slot's purpose.User Token Slot
contains the k570 root of trust keys, and is the authorization point for access to the keys.Admin Token Slot
is the slot for configuring Luna PCIe HSM overall.Net Admin Token SLot
indicates the Luna Backup HSM device.
Switch to the slot for the
User Token Slot
.slot set -s <user_token_slot_id>
Login as the Crypto Officer. Use the password or challenge secret configured during deployment.
role login -n co -p <crypto_officer_password>
Backup the partition contents, including root of trust keys, to the Luna Backup HSM. This process creates a new partition on the Luna Backup HSM. You set a security officer password for the Backup HSM, and set a partition name, cloning domain, and partition password for the new partition.
partition archive backup -s <net_admin_token_slot> -partition <a_backup_partition_name> -do <cloning_domain_name> -sop <backup_hsm_security_officer_password> -pas <partition_password_on_backup>
Restore the Root of Trust Keys to a Different k570 Appliance
Caution
Ensure the k570 appliance meets the required target Thales CipherTrust Manager k570 configuration. Failing to meet this configuration can result in the CipherTrust Manager application becoming unavailable after reboot, requiring customer support to recover.
Establish connections between all the devices, client workstation, target k570, and Luna Backup HSM.
Still in an SSH session as ksadmin, execute "
/usr/safenet/lunaclient/bin/lunacm
" utility.Identify the three visible slots, and note the displayed
Slot Id
for each slot. TheSlot Description
field indicates each slot's purpose.User Token Slot
is the target slot which will contain the k570 root of trust keys, and act as the authorization point for access to the keys.Admin Token Slot
is the slot for configuring Luna PCIe HSM overall.Net Admin Token Slot
indicates the Luna Backup HSM device.
Switch to the slot for the
User Token Slot
.slot set -s <user_token_slot_id>
Login as the Crypto Officer. Use the password or challenge secret configured during deployment.
role login -n co -p <crypto_officer_password>
Restore the root of trust keys from the backup device slot. Provide the backup HSM's partition name, cloning domain, security officer password, and partition password values set during backup.
partition archive restore -s <net_admin_token_slot> -partition <the_backup_partition_name> -do <cloning_domain_name> -sop <security_officer_password> -pas <partition_password_on_backup>
Proceed to configure the Luna PCIe as the Root of Trust.
You require the 'partition-label' and the 'partition challenge' created during the HSM initialization procedure.
(Optional) If you have restored multiple root of trust keys, you can check which key is active, and rotate the active key to a different root of trust key, if desired.
Backup and Restore for PED-Authenticated HSM
After you have fulfilled the prerequisites, the high level steps are:
Set up the client workstation and Luna Backup HSM for remote ped authentication.
Establish connections between the source k570 and client workstation.
Establish connections between the target k570 and client workstation.
Note
If you are consulting Luna documentation, PED authentication is now referred to as multifactor quorum authentication.
Required Network Setup for PED Authentication
You must install Luna Client on a work station, including the Remote Backup Server (RBS) and PEDServer utilities.
RBS acts as a client to the Luna Backup HSM, and the Luna PCIe HSM acts as a client to RBS. RBS connects to the Luna Backup HSM through a local USB connection. The k570 PCIe HSM uses the vtl utility to connect to RBS over port 1792.
PEDServer allows for remote access to the PED over network port 1503. This is required to authenticate the k570 PCI-e HSM and the Luna Backup HSM at the work station.
Set Up the Client Workstation and Luna Backup HSM for Remote PED Authentication
Use the provided USB cable to connect the Luna Backup HSM to the client workstation.
Use the provided USB cable to connect the PED to the client workstation.
Install Luna HSM Client on your client workstation, including the Backup and Remote PED component.
Navigate to the Luna client install directory and start the PEDserver utility.
pedserver -mode start
Note
The default directory path on Windows is
C:\Program Files\SafeNet\LunaClient\
, and the default directory path on Linux is/usr/safenet/lunaclient/
.Initialize the Luna Backup HSM for PED/multifactor quorum authentication, as specified in the Luna documentation for the particular Backup HSM model.
Login as the HSM SO. When prompted, insert the blue PED key.
lunacm:> role login -n so
In LunaCM, run the command to initialize the remote PED vector and confirm. When prompted, insert a blank key into the PED to be imprinted as an orange PED vector PED key.
lunacm:> ped vector -init You are about to initialize the Remote PED Vector Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now -> proceed RPV was successfully initialized. Command Result : No Error
Set up a secure channel between the Luna Backup HSM and the PED server, if you have not already done so.
Login as the HSM SO.
lunacm:> role login -n so
Provide the IP address of the Remote PED server.
lunacm:> ped set -ip <client_workstation_ip_address> -port 1503
Connect to the Remote PED server.
lunacm:> ped connect
Login as the HSM SO again. Respond to the PED prompts to insert the blue HSM SO and orange PED Vector key.
lunacm:> role login -n so
Establish Connections Between the Client Workstation and the k570
Start the Remote Backup Server (RBS) and connect it to the k570
Find the rbs program included in the Luna client installation.
The default path on Windows is
C:\Program Files\SafeNet\LunaClient\rbs.exe
, and the default path on Linux is/usr/safenet/lunaclient/rbs/bin
.Run the command
rbs --config
to select the Luna Backup HSM device.When you have specified your selection, enter X to exit the configuration tool.
If a server key and password don't exist for RBS, generate a new key with command
rbs --genkey
and enter a new RBS password when prompted.The certificate is located at:
Linux/UNIX:
<LunaClient_install_directory>/rbs/server/server.pem
Windows:
<LunaClient_install_directory>\cert\server\server.pem
Start the rbs server on port 1792 with the command
rbs s -port 1792
. Enter the RBS password that you created in the previous step.Securely transfer the
server.pem
certificate on the client workstation to the CipherTrust Manager k570 usingscp
. The certificate is located atC:\Program Files\SafeNet\LunaClient\certs\server\
.SSH into the CipherTrust Manager k570 as ksadmin.
Change into the directory containing the vtl utility. The vtl utility is located at
/usr/safenet/lunaclient/bin
.Use vtl to connect the Luna PCIe HSM to the RBS client workstation.
./vtl addserver -n <client_workstation_ip_address> -c <path_to_the_server.pem>
Verify the Luna Backup HSM is visible with vtl.
./vtl listservers
Create an orange Remote PED key for the k570.
Connect the PED to the k570 USB port. If the PED screen doesn't respond, connect the A/C adapter to the PED and to a power outlet as well.
Change into the "
/usr/safenet/lunaclient/bin/lunacm
" directory.Login as SO with the command
role login -name SO
.Have an orange PED key ready. Create and imprint the RPV (Remote PED Vector):
hsm ped vector init
Respond to the PED prompts.
Re-connect the PED to the client workstation.
Backup the Root of Trust Keys from PED-Authenticated k570
On the k570 CipherTrust Manager, set the Luna client to access the Luna Backup HSM and use the remote PED.
SSH in as ksadmin, and execute "
/usr/safenet/lunaclient/bin/lunacm
" utility.Identify the three visible slots, and note the displayed
Slot Id
for each slot. TheSlot Description
field indicates each slot's purpose.User Token Slot
is the slot which contains the k570 root of trust keys, and act as the authorization point for access to the keys.Admin Token Slot
is the slot for configuring Luna PCIe HSM overall.Net Admin Token Slot
indicates the Luna Backup HSM device.
Switch to the slot for the
Net Admin Token Slot
.slot set -s <luna_backup_hsm_slot_id>
Provide the IP address of the Remote PED server.
lunacm:> ped set -ip <client_workstation_ip_address> -port 1503
View the PED connection type for the Luna Backup HSM.
lunacm:> ped get
The result shows that the Luna Backup device is set to local PED mode.
HSM slot 1 listening to local PED (PED id=0).
Confirm the Remote PED Server IP address and port are set correctly.
lunacm:>ped show Configured Remote PED Server information Remote PED Server IP address: <configured_ip_address> Remote PED Server Port: 1503 Command Result : No Error
Connect the Luna Backup HSM to the Remote PED Server.
lunacm:>ped connect Command Result : No Error
Backup the k570 root of trust keys to the Luna Backup HSM.
List the visible slots and identify the slot number for the
User Token Slot
, which is the slot which contains the k570 root of trust keys.lunacm:>slot list
Switch to the
User Token Slot
lunacm:>slot set -s <slot_number>
Login as the Crypto Officer. Use the challenge secret configured during deployment.
role login -n co -p <crypto_officer_password>
Backup the partition contents, including root of trust keys, to the Luna Backup HSM. This process creates a new partition on the Luna Backup HSM. As part of this process, you present the orange Remote PED vector, blue HSM SO, and red Domain PED Keys initialized for the Luna Backup HSM to the HSM connected to the client workstation. You also present the black Crypto Officer PED key initialized for the k570 root of trust key partition. Respond to the PED prompts.
lunacm:>partition archive backup -s <net_admin_token_slot> -partition <backup_HSM_partition_name>
Restore the Root of Trust Keys to a Different PED-Authenticated k570
Caution
Ensure the k570 appliance meets the required target Thales CipherTrust Manager k570 configuration. Failing to meet this configuration can result in the CipherTrust Manager application becoming unavailable after reboot, requiring customer support to recover.
Establish connections between the client workstation and the k570.
In an SSH session as ksadmin, execute "
/usr/safenet/lunaclient/bin/lunacm
" utility.Identify the three visible slots, and note the displayed
Slot Id
for each slot. TheSlot Description
field indicates each slot's purpose.User Token Slot
is the target slot which will contain the k570 root of trust keys, and act as the authorization point for access to the keys.Admin Token Slot
is the slot for configuring Luna PCIe HSM overall.Net Admin Token Slot
indicates the Luna Backup HSM device.
Switch to the slot for the
User Token Slot
.slot set -s <user_token_slot_id>
Login as the Crypto Officer. Use the challenge secret configured during deployment.
role login -n co -p <crypto_officer_password>
Restore the root of trust keys from the backup device slot. When prompted, provide the orange Remote PED key and the black Crypto Officer PED key.
partition archive restore -s <net_admin_token_slot> -partition <the_backup_partition_name>
Proceed to configure the Luna PCIe as the Root of Trust.
You require the 'partition-label' and the 'partition challenge' created during the HSM initialization procedure.
(Optional) If you have restored multiple root of trust keys, you can check which key is active, and rotate the active key to a different root of trust key, if desired.