Key Migration Using Cloning
If you have an existing Luna HSM 5.x, 6.x or 7.x password authenticated partition, you can migrate its key material to your new uninitialized Luna Cloud HSM partition using slot-to-slot cloning using the HSM Client.
To clone cryptographic keys from one HSM to another, the HSMs must share the same cloning domain. As a result, you must initialize the destination partition with the source partition's cloning domain. The cloning domain was specified as a string when the source partition was initialized.
HSM Partition Label and Password Rules
In LunaCM, the partition label created during initialization must be 1-32 characters in length. If you specify a longer label, it will automatically be truncated to 32 characters. The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>`~
Spaces are allowed; enclose the label in double quotation marks if it includes spaces.
In LunaCM, passwords must be 8-255 characters in length. The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks (") are problematic and should not be used within passwords.
Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.
Preconditions
The following instructions assume that:
>you have obtained a HSM Client
>the source partition's security policy allows cloning of private and secret keys
>you have an uninitialized destination Luna Cloud HSM service
>if your client host is a Windows device, you have installed pscp.
In the following examples:
>Slot 0: the source partition
>Slot 1: the destination partition
To migrate cryptographic keys
1.Download and install a HSM Client from the Service Details page, as described in the Services documentation. Do not initialize the partition.
2.Establish a Network Trust Link (NTL) to the Luna partition. The example steps below use the multi-step NTL procedure described in greater detail in Luna documentation.
a.Use pscp (Windows) or scp (Linux) to import the server certificate (server.pem) from the Luna Network HSM appliance to the HSM client workstation. You require the Network HSM appliance admin password to complete this step.
| Windows |
Syntax: pscp [options] <user>@<host>:<source_filename> <target_filename> Example:To copy the server certificate from host myHSM to the current (.) directory, keeping the same name: pscp admin@myHSM:server.pem . server.pem | 1 kB | 1.1 kB/s | ETA: 00:00:00 | 100% |
| Linux/UNIX |
Syntax:scp [options] <user>@<host>:<source_filename> <target_filename> Example: To copy the server certificate from host IP 192.168.0.123 to the current (.) directory, keeping the same name:
scp admin@192.168.0.123:server.pem .
|
b.Register the HSM Server Certificate with the client, using the vtl addserver command.
c.vtl addServer -n <Network_HSM_hostname_or_IP> -c <server_certificate>
If using a host name, ensure that the name you use is reachable over the network (ping <hostname>). To avoid network issues, it is recommended that you specify an IP address.
d.Create a certificate and private key for the client, using the vtl createcert command.
vtl createcert -n <Network_HSM_client_hostname_or_IP>
NOTE The client hostname or IP address must be an exact match for the client hostname, as reported using the hostname command.
The certificate and private key are saved to the <client_install_dir>/cert/client directory and are named <client_hostname_or_IP>.pem and <client_hostname_or_IP>Key.pem, respectively. The vtl createcert command displays the full path-name to the key and certificate files that were generated.
e.Export the client certificate to the Luna Network HSM, using pscp (Windows) or scp (Linux/UNIX). You require the Luna Network HSM appliance admin password to complete this step.
| Windows |
Syntax: pscp [options] <source_filename> <user>@<host>:[<target_filename>] Example:To copy the client certificate (myLunaClient.pem) to the myLunaSA appliance, keeping the same name: pscp myLunaClient.pem admin@myLunaSA: |
| Linux/UNIX |
Syntax:scp [options] <source_filename> <user>@<host>:[<target_filename>] Example: To copy the client certificate (myLunaClient.pem) to the Luna Network HSM appliance with IP 192.168.0.123, keeping the same name: scp myLunaClient.pem admin@192.168.0.123: |
f.Register the client certificate with the HSM appliance using the LunaSH client register command with an admin level account.
| By hostname |
client register -client <client_name>
-hostname <client_hostname> Use this syntax if the client certificate was created using the client's hostname. You will then need to run client hostip command to map the hostname to an IP address in the event of a DNS failure. client hostip map -client <client_name> -ip <client_IP_address> |
| By IP address |
client register -client <client_name>
-ip <client_IP_address> Use this syntax if the client certificate was created using the client's IP address as the certificate name. |
g.Restart the Network Trust Link service.
lunash:>service restart ntls
You can use the LunaSH client list command to verify the client registration.
3.Run LunaCM, set the current slot to the destination partition.
slot set -slot 1
4.Initialize the partition and include the source partition's cloning domain string as a parameter.
partition init -label <luna_cloud_hsm_service_label> -domain <domain_string>
5.Log in as the po (Partition Security Officer) and initialize the co (Crypto Officer) role, setting the initial Crypto Officer password.
role login -name po
role init -name co
enter new password: ********
re-enter new password: ********
NOTE The password for the Crypto Officer role is valid for the initial login only. The CO must change the initial password using the command role changepw during the initial login session, or a subsequent login. Failing to change the password will result in a CKR_PIN_EXPIRED error when they perform role-dependent actions.
6.In LunaCM, set the current slot to the source slot.
slot list
slot set -slot 0
7.Log in as the Crypto Officer.
NOTE Be mindful of whether you’re working with pre-PPSO or PPSO firmware and use the partition login or role login commands as specified below. Also, with PPSO firmware 6.22.0 and up, be careful with user names, i.e., type Crypto Officer in full (is case sensitive) and not co.
a.If you are cloning a release 6.x pre-PPSO partition (up to and including Luna HSM Firmware 6.21.2), use:
partition login
b.If you are cloning a release PPSO partition (Luna HSM Firmware 6.22.0 and up, or a Luna Cloud HSM Service), use:
role login -name Crypto Officer
8.Optional: To verify the objects in the source partition to be cloned, issue the “partition contents” command.
partition contents
9.Clone the objects to the destination partition.
partition clone -objects 0 -slot 1
Enter the partition Crypto Officer password when prompted.
NOTE Luna Cloud HSM requires a different object handle format than the Luna partition does, and so the object handles are converted to the other format during cloning. Messages display how handles are remapped, with the format "Handle <source_partition_object_handle> on slot <source_slot> is now handle <target_partition_object_handle> on slot <destination_slot>".
Optionally, verify that all objects were cloned successfully to the destination by checking the partition contents.
slot set -slot 1
partition contents
You should see the same number of objects that existed on the source partition. In addition, the object handles should be remapped to the values indicated during cloning.
