Cloning or Backup / Restore with SKS

Primary use-case

Huge numbers of keys can be safely off-boarded from the HSM by scalable key storage (SKS) and stored, securely encrypted, in databases or file systems (which normally have their own backup regimes).

Only the SKS Master Key (SMK) needs to be

>backed-up to a Backup HSM with partition archive backup, for storage only (not used for any encryption/decryption while it is archived), or

>cloned to another HSM partition with partition smkclone (such as in an HA group), where it can insert/decrypt externally-stored keys and objects as needed when they are retrieved from your database by your application.

However, for smaller numbers of keys that fit inside a partition...

If an application creates smaller quantities of keys that can all fit inside an HSM partition, then it can be convenient to keep the SMK and those keys together within the HSM.

Backup/Restore

If a V1 partition containing some number of keys is backed-up ( partition archive backup. command) to a Backup HSM, then that target Backup HSM sees

>one SMK cloned in from the source V1 partition,

>along with several SMK-encrypted opaque blobs having only their OUIDs and labels visible.

The blobs are not decrypted in the Backup HSM, but they can be identified for retrieval.

Cloning from General Purpose HSM source to General Purpose HSM target

Where you are cloning such a mixed partition (SMK plus multiple keys) from a V1 source partition to a V1 target (non-Backup),

>the SMK must be cloned over first, (with partition smkclone),

>then the partition clone command is invoked against the keys,

where it actually launches SKS* to extract the keys (encrypted by the original SMK) from the source partition and,

inserts the keys in the target partition, using the SMK copy that was just cloned over.

(*In this case, you use the partition clone command that quietly invokes SKS, so that your action to launch the process has the same "look and feel" as key cloning operations in V0 and pre-firmware-version 7.7.0 application partitions.)

For non-V1 partitions, the partition clone command behaves as previously, with no SKS involvement..