partition clone

Clone partition objects from the current active slot to the specified slot.

CAUTION!   If you are cloning objects to a different kind of partition (for example, between a Luna partition and a Luna Cloud HSM service) or a partition on an HSM running a different firmware version, refer to Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM, Password or Multifactor Quorum for important information about cloning capabilities.

Cloning is a repeating atomic action

When you call for a cloning operation (such as backup or restore), the source HSM transfers a single object, encrypted with the source domain. The target HSM then decrypts and verifies the received blob.

If the verification is successful, the object is stored at its destination – the domains are a match. If the verification fails, then the blob is discarded and the target HSM reports the failure. Most likely the domain string or the domain PED key, that you used when creating the target partition, did not match the domain of the source HSM partition. The source HSM moves to the next item in the object list and attempts to clone again, until the end of the list is reached.

This means that if you issue a backup command for a source partition containing several objects, but have a mismatch of domains between your source HSM partition and the backup HSM partition, then you will see a separate error message for every object on the source partition as it individually fails verification at the target HSM.

If you invoked scalable key storage (SKS) for your applications to create and store large numbers of keys, then the partition is V1. If you perform cloning operations (including HA) or Backup and Restore, see Cloning or Backup / Restore with SKS.

Syntax

partition clone -objects <handles> -password <password> -slot <slot_number> [-force]

Argument(s) Shortcut Description
-force -f Force the action without prompting for confirmation.
-objects <handles> -o

Specifies the object handles to extract. You can specify the object handles to clone using any of the following methods:

>a single object handle

>0 or all, to indicate that all objects are to be extracted

>a list of handles, separated by commas. For example: -objects 3,4,6

-password <password> -p The target slot password. This option does not apply to multifactor quorum-authenticated HSMs/tokens.
-slot <slot_number> -s The target slot.

Example

lunacm:> partition clone -objects 124,140 -slot 1

        Option -password was not supplied.  It is required.

        Enter the password for the target slot: ********

        Verifying that the specified objects can be cloned.

        All objects can be cloned.

        Logging in to target slot 1

        Checking if objects already exist on target slot 1.

        Cloning the objects.
                Handle 124 on slot 0 is now handle 141 on slot 1
                Handle 140 on slot 0 is now handle 28 on slot 1

Command Result : No Error