Overview and Key Concepts

This topic provides the following background information you need to perform backup and restore operations using a G7-based backup HSM:

>Overview

>Credentials Required to Perform Backup and Restore Operations

>Client Software Required to Perform Backup and Restore Operations From a Client Workstation

>PED Authentication with the G7-Based Backup HSM

>Backup and Restore Best Practices

Overview

A Crypto Officer (CO) can use the backup HSM to backup the objects in any partition they can log in to, provided that:

>The user partition and the backup HSM share the same domain.

>The user partition and the backup HSM use the same authentication method (PED or password).

> The CO has the required credentials on the backup HSM.

You can perform backup/restore operations on your user partitions by connecting the backup HSM to a SafeNet Luna HSM Client workstation, or to a SafeNet Luna Network HSM appliance:

>When you connect the backup HSM to a SafeNet Luna HSM Client workstation, the backup HSM Admin partition is added to the slots listed in LunaCM, allowing you to clone objects between the <source> user partition and the <target> backup partition.

>When you connect the backup HSM to a SafeNet Luna Network HSM appliance, the backup HSM is available as an attached backup token identified by its serial number, allowing you to use LunaSH to clone objects between the <source> user partition and the <target> backup partition.

NOTE   You can connect the backup HSM to any USB port on the client workstation or SafeNet Luna Network HSM appliance. Do not attempt to connect the backup HSM to the USB port on the HSM card.

Backups are created and stored as partitions within the Admin partition on the backup HSM.

Credentials Required to Perform Backup and Restore Operations

You require the following credentials to perform backup/restore operations:

<source> User HSM Remote PED (orange) key. Required for PED-authenticated backups only, to establish a remote PED connection to the HSM that hosts the <source> user partition.
<source> User Partition

Crypto Officer (CO). Required to access the objects in the <source> user partition that will be backed up.

Domain. Required to allow objects to be cloned between the <source> user partition and <target> backup partition. The domains for the <source> user partition and <target> backup partition must match, otherwise the backup will fail.
<target> Backup HSM

HSM Security Officer (SO). Required to create or access the <target> backup partition in the Admin slot, where all backups are archived.

Remote PED (orange) key. Required for PED-authenticated backups only, to establish a remote PED connection to the HSM that hosts the <target> backup partition.

Note: You create new credentials for both roles on HSM initialization, and use them for subsequent backups to the <target> backup HSM.

<target> Backup Partition

Partition owner (PSO). Required to access the <target> backup partition.

Crypto Officer (CO). Required to access the objects in the <target> backup partition.

Note: You create new credentials for both roles on the initial backup, and use them for subsequent backups to the <target> backup partition.

Client Software Required to Perform Backup and Restore Operations From a Client Workstation

You must install the SafeNet Luna HSM Client software and USB driver for the backup HSM on the workstation you intend to use to perform backup and restore operations. See the release notes for supported versions and operating systems, and refer to SafeNet Luna HSM Client Software Installation for detailed installation instructions.

NOTE   Ensure that the backup HSM is not connected to the SafeNet Luna HSM Client workstation when you install or uninstall the client software. Failure to do so may result in the backup HSM becoming unresponsive.

When you install the client software, you must select the following options:

>The USB option. This installs the driver for the backup HSM.

>The Network and/or PCIe options, depending on which type of HSM you intend to backup.

>The Remote PED option, if you want to backup PED-authenticated partitions. Note that you can install and use a remote PED on the same workstation used to host the backup HSM, or on a different workstation.

>The Backup option, if you want to backup to a remote backup HSM using RBS.

PED Authentication with the G7-Based Backup HSM

The G7-based backup HSM is equipped with a single USB port that is used to connect the backup HSM to a SafeNet Luna HSM Client workstation or SafeNet Luna Network HSM appliance. As such, any PED connections to the backup HSM must use a remote PED and the pedserver service:

>When the G7-based backup HSM is connected to a client workstation, you authenticate to it with a remote PED that is connected to the same client workstation used to host the backup HSM, or to a separate workstation used to host the remote PED. To backup or restore a partition, you must use lunacm:> ped connect to establish remote PED connections to both the <source> user partition and <target> backup HSM.

Backup and Restore Best Practices

To ensure that your data is protected in the event of a failure or other catastrophic event, Thales recommends that you use the following best practices as part of a comprehensive backup strategy:

CAUTION!   Failure to develop and exercise a comprehensive backup and recovery plan may prevent you from being able to recover from a catastrophic event. Although Thales provides a robust set of backup hardware and utilities, we cannot guarantee the integrity of your backed-up key material, especially if stored for long periods. Thales strongly recommends that you exercise your recovery plan at least semi-annually (every six months) to ensure that you can fully recover your key material.

Develop and document a backup and recovery plan

This plan should include the following:

>What is being backed up

>The backup frequency

>Where the backups are stored

>Who is able to perform backup and restore operations

>Frequency of exercising the recovery test plan

Make multiple backups

To ensure that your backups are always available, build redundancy into your backup procedures.

Use off-site storage

In the event of a local catastrophe, such as a flood or fire, you might lose both your working HSMs and locally-stored backup HSMs. To fully protect against such events, always store a copy of your backups at a remote location.

Regularly exercise your disaster recovery plan

Execute your recovery plan at least semi-annually (every six months) to ensure that you can fully recover your key material. This involves retrieving your stored Backup HSMs and restoring their contents to a test partition, to ensure that the data is intact and that your recovery plan works as documented.


Customer Support Portal

SafeNet Luna Network HSM 10.1 Product Documentation  23 January 2020  Copyright 2001-2020 Thales Group. All rights reserved.