Luna HSM Backup Guide
The Luna HSM Backup is a Luna Cloud HSM Service offering that provides a dedicated backup and restore location for your organization's on-premises Network HSMs and Cloud HSMs. The Luna HSM Backup allows users to take cryptographic objects from a source Luna HSM partition (the partition that you are backing up) and securely store them on a destination partition (the Luna HSM Backup).
Thales Data Protection on Demand supports requests to configure a single client to connect to multiple Luna Cloud HSM Services. When two partitions are available from a client a single set of service client credentials can be used for Key Migration between connected service partitions. Please download and complete the Client Connection to Multiple Services Request Form and include it in a support request to the Thales Customer Support Portal. When both partitions are connected and accessible from the same client you can clone objects between the partitions for key migration and backup. See Key Cloning and Key Migration Guides for more information about cloning and migrating keys between partitions.
Key cloning and key migration guides
To begin cloning or migrating keys to the Luna HSM Backup, refer to the following procedures.
Adding and configuring the Luna HSM Backup
To deploy the Luna HSM Backup, select the Luna HSM Backup tile in the DPoD marketplace and follow the instructions described in Adding a Luna Cloud HSM Service. For more information about initializing the client see Configuring the Service Client.
This section includes the following advisory content for the Luna Backup HSM. We recommend you review and familiarize yourself with this content before beginning any key migration or key cloning operations between an on-premises HSM and the Luna HSM Backup.
- Common Configuration Characteristics of Source and Destination
- Luna HSM Backup Capacity
- Limitations on using Luna HSM Backup in High-Availability Configurations
- Required Partition Policies
Common configuration characteristics of source and destination
To use the Luna HSM Backup with an existing Luna HSM, the following configuration settings must be consistent between the source HSM partition and destination:
- All partitions must be initialized using the same domain string. (You set the domain string when you initialize the Luna HSM partition/Luna HSM Backup .)
- All partitions must have the same FIPS mode configuration. (You configure FIPS mode when you create the Luna HSM Backup. You cannot alter the FIPS mode configuration after provisioning the service.)
Luna HSM Backup capacity
The Luna HSM Backup is a limited capacity service with a total storage space of 159744 bytes. A single Luna HSM Backup has capacity for storing:
- 100 objects or 156kb (ex. one hundred 2048 RSA asymmetric key pairs)
- 100 session objects or 156kb (ex. one hundred 2048 RSA asymmetric key pairs) from application per service.
As a result of the fixed partition size for the Luna HSM Backup may require multiple Luna HSM Backup services to store all of the cryptographic objects that you would like to back up. Alternatively, you can specify what objects you want to back up using the
partition clone command in LunaCM. For more information about the
partition clone command and available parameters for specifying what objects you want to clone see partition clone in the client User Guide.
Limitations on using Luna HSM Backup in high-availability configurations
The Luna HSM Backup can be configured as a standby for a Luna HSM in a high-availability configuration. The Luna HSM Backup should never be configured as the primary in a high-availability configuration. In addition, the following limitations/requirements apply when using a Luna HSM Backup in a high-availability configuration:
- All partitions must be visible in LunaCM on the client workstation.
- All partitions must be initialized with the same domain string.
Partition Policy 0: Allow private key cloningand
Partition Policy 4: Allow secret key cloningmust be set to 1 on all partitions.
- Partition policies must be consistent across all member partitions.
- The crypto officer (CO) role on each partition must be initialized with the same CO credential (password).
Required partition policies
To use your Luna HSM Backup to backup Luna HSM cryptographic objects both the source HSM partition and the destination backup service require the following partition policies be enabled:
- 0 - Allow Private Key Cloning
- 4 - Allow Secret Key Cloning
- 21 - Allow High Availability Key Recovery
Required partition policies depend on the type of backup you are using the Luna HSM Backup for. For example, if you are using the Luna HSM Backup as a standby in a high-availability configuration you need to enable
Partition Policy 21 - Allow High Availability Key Recovery. If you are using the Luna HSM Backup to clone keys from the source HSM to the destination service to store copies of cryptographic objects, you do not require
Partition Policy 21 - Allow High Availability Key Recovery, but you do require
Partition Policy 0 - Allow Private Key Cloning and
Partition Policy 4 - Allow Secret Key Cloning.
You can check your partition policies by executing
partition showpolicies in LunaCM.
By default, the Luna HSM Backup has the following partition policies:
0: Allow private key cloning : 1
2: Allow private key unwrapping: 1
4: Allow secret key cloning : 1
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
10: Allow multipurpose keys: 1
11: Allow changing key attributes : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Allow high availability recovery : 1
22: Allow activation : 0
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min): 248
26: Maximum pin length : 255
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
31: Allow private key unmasking : 1
32: Allow secret key unmasking : 1
33: Allow RSA PKCS mechanism : 1
34: Allow CBC-PAD (un)wrap keys of any size : 1
37: For Secure Trusted Channel : 0
39: Allow Start/End Date Attributes : 0