You can connect the Luna Backup HSM G5 to a USB port on the client workstation. This configuration allows you to perform backup/restore operations for all application partitions that appear as visible slots in LunaCM. It is useful in deployments where the partition Crypto Officer wants to keep backups at the client. You can restore a partition backup to the original source partition or to another existing Luna application partition that shares the same cloning domain.
CAUTION! There is an issue with restoring Luna Cloud HSM backups stored on Luna USB Backup HSM 7 running firmware version 7.7.1 or later and Luna USB Backup HSM 5 running firmware 6.28. For more information about this issue and available workarounds please see the Technical Blog: Issue with Luna Cloud HSM Backup.
This section provides instructions for the following procedures using this kind of deployment:
>Initializing the Luna Backup HSM G5
>Backing Up an Application Partition
>Restoring an Application Partition from Backup
NOTE The size of the partition header is different for a Luna Cloud HSM partition and its equivalent backup partition stored on a Luna Backup HSM G5. As a result, the value displayed in the Used column in the output of the partition list command (for the backed-up Luna Cloud HSM partition) is different than the value displayed in the Used column in the output of the token backup partition list command (for the backup partition on the Backup HSM).
Initializing the Luna Backup HSM G5
Before you can use the Luna Backup HSM G5 to back up your partition objects, it must be initialized. This procedure is analogous to the standard HSM initialization procedure.
Prerequisites
>Install the Luna Backup HSM G5 at the client and connect it to power (see Installing the Luna Backup HSM G5).
To initialize a client-connected Luna Backup HSM G5
1.Launch LunaCM on the client workstation.
2.Set the active slot to the Luna Backup HSM G5.
lunacm:> slot set -slot <slotnum>
3.Initialize the Luna Backup HSM G5, specifying a label and the method of authentication (-initwithpwd).
You are prompted to set an HSM SO credential and cloning domain for the Backup HSM.
NOTE After initializing a client-connected Luna Backup HSM G5 to use PED authentication, the HSM erroneously requests a password to log in with any role. This issue occurs when HSM Client 10.3.0 or newer is used with HSM firmware 6.10.9 or older. Press ENTER to bypass the password prompt, and present the PED key as usual. Alternatively, use an older client or upgrade to Luna Backup HSM G5 Firmware 6.24.7 or newer to avoid this.
Workaround: Press ENTER to bypass the password prompt, and present the PED key as usual. Alternatively, use Luna HSM Client 10.2.0 or upgrade the Luna Backup HSM firmware to 6.24.7 or newer to avoid this.
Backing Up an Application Partition
You can use LunaCM to back up the contents of an application partition to the client-connected Luna Backup HSM G5. You can use this operation to create a backup on the Backup HSM, or add objects from the source partition to an existing backup.
Prerequisites
>The Luna Backup HSM G5 must be initialized (see Initializing the Luna Backup HSM G5).
>The following polices are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):
•Partition policy 0: Allow private key cloning is set to 1 (ON) on the source partition.
•Partition policy 4: Allow secret key cloning is set to 1 (ON) on the source partition.
>You must have the Crypto Officer credential and domain for the source partition.
>You must have the Backup HSM SO credential.
If you invoked scalable key storage (SKS) for your applications to create and store large numbers of keys, then the partition is V1. If you perform cloning operations (including HA) or Backup and Restore, see Cloning or Backup / Restore with SKS.
To back up an application partition to a client-connected Luna Backup HSM G5
1.Launch LunaCM on the client workstation.
2.Set the active slot to the source partition and log in as Crypto Officer.
lunacm:> slot set -slot <slotnum>
lunacm:> role login -name co
3.Back up the partition, specifying the Luna Backup HSM G5 slot and a label for the backup (either a new or existing label). If you specify an existing backup label, include the -append option to add only new objects to the backup (duplicate objects will not be cloned). By default, the existing backup will be overwritten with the current contents of the source partition.
lunacm:> partition archive backup -slot <Backup_HSM_slotnum> [-partition <backup_label>] [-append] [-replace] [-smkonly]
If you omit the -partition option when creating a new backup, the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>) based on the source HSM's internally-set time and date.
If you are backing up a V1 partition, include -smkonly to back up the SMK only. By default, the SMK and any encrypted cryptographic material on the partition are backed up.
The backup begins once you have completed the authentication process.
Objects are backed up one at a time. For existing backups, you can use the following options to define how individual objects are backed up:
| -append | Add only new objects to an existing backup. |
| -replace | Delete the existing objects in a target backup partition and replace them with the contents of the source user partition. This is the default. |
| -append -replace | Add new objects and replace existing objects that have the same OUID but a different fingerprint (such as would occur if any of the object attributes were changed since the previous backup). |
You are prompted to present or set the following credentials:
•Backup HSM SO
•Crypto Officer for the backup (can be the same as the source partition)
•Cloning domain for the backup (must be the same as the source partition)
The partition contents are cloned to the backup.
Restoring an Application Partition from Backup
You can use LunaCM to restore the contents of a backup to the original application partition, or any other Luna application partition that shares the same cloning domain.
Prerequisites
>The target partition must be initialized with the same cloning domain as the backup partition.
>The following polices are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):
•Partition policy 0: Allow private key cloning is set to 1 (ON) on the target partition.
•Partition policy 4: Allow secret key cloning is set to 1 (ON) on the target partition.
>You must have the Crypto Officer credentials for the backup partition and the target partition.
To restore the contents of a backup to an application partition
1.Launch LunaCM on the client workstation.
2.Set the active slot to the target partition and log in as Crypto Officer.
lunacm:> slot set -slot <slotnum>
lunacm:> role login -name co
3.[Optional] Display the available backups by specifying the Luna Backup HSM G5 slot. Each available backup also appears as a slot in LunaCM.
lunacm:> partition archive list -slot <Backup_HSM_slotnum>
4.[Optional] Display the contents of a backup by specifying the Luna Backup HSM G5 slot and the backup partition label in LunaCM.
lunacm:> partition archive contents -slot <backup_slotnum> -partition <backup_label>
5.Restore the partition contents, specifying the Luna Backup HSM G5 slot and the backup you wish to use. By default, duplicate backup objects with the same OUID as objects currently existing on the partition are not restored.
If you have changed attributes of specific objects since your last backup and you wish to revert these changes, include the -replace option.
If you are restoring a V1 partition and you only want to restore the SMK, include the -smkonly option.
lunacm:> partition archive restore -slot <Backup_HSM_slotnum> -partition <backup_label> [-replace] [-smkonly]
You are prompted for the backup's Crypto Officer credential.
The backup contents are cloned to the application partition.
