Backing Up to a Client-Connected G7-Based Backup HSM
To perform a backup, you connect the backup HSM to the SafeNet Luna HSM Client workstation that hosts the slot for the partition you want to backup, and run the LunaCM partition archive backup command. Backups are created and stored as partitions within the Admin partition on the backup HSM.
A new backup partition is created on initial backup. For subsequent backups, you can choose to replace the contents of the existing <target> backup partition with the current <source> user partition objects, or append new objects in the <source> user partition to the existing <target> backup partition.
The procedure is different for PED-authenticated and password-authenticated backups, as detailed in the following sections:
>Backing Up a Multi-factor- (PED-) Authenticated Partition
>Backing Up a Password-Authenticated Partition
Backing Up a Multi-factor- (PED-) Authenticated Partition
You require a PED-authenticated backup HSM to backup a PED-authenticated user partition.
Summary
To perform a backup, you connect the backup HSM and a remote PED to the SafeNet Luna HSM Client workstation that hosts the slot for the user partition you want to backup, and perform the following tasks:
1.Log in to the <source> user partition as the Crypto Officer (CO):
•If the <source> user partition is activated, you need to provide the challenge secret.
•If the <source> user partition is not activated, you need to open a remote PED connection to the <source> HSM and use the required PED keys to log in to the <source> user partition as the Crypto Officer (CO).
2.Open a remote PED connection to the <target> backup HSM. You are prompted for the orange (Remote PED vector) key for the backup HSM.
3. Perform the backup operation and respond to the prompts for the HSM SO, partition SO (PO), crypto officer (CO), and domain PED keys for the backup HSM/partition. The backup HSM and the partition you want to restore to must be members of the same domain.
Prerequisites
Before beginning, ensure that you are familiar with the concepts in PED Authentication. You require the credentials listed in Backing Up to a Client-Connected G7-Based Backup HSM.
TIP To simplify the backup process and minimize interactions with the PED, it is recommended that you activate the CO role on the user partitions you want to backup. See Activation and Auto-activation on Multi-factor- (PED-) Authenticated Partitions for more information.
To backup a PED-authenticated partition
1.Configure your SafeNet Luna HSM Client workstation using one of the following configurations:
a.Install the required client software on the SafeNet Luna HSM Client workstation. See Backing Up to a Client-Connected G7-Based Backup HSM for details.
b.Connect the backup HSM directly to the SafeNet Luna HSM Client workstation using the included USB cable.
NOTE On most workstations, the USB connection provides adequate power to the backup HSM and it will begin the boot sequence. If you are using a low-power workstation, such as a netbook, the USB connection may not provide adequate power, in which case you will also need to connect the external power supply.
c.Connect the PED to the SafeNet Luna HSM Client workstation used to host the remote PED, using the PED USB cable.
NOTE You connect to the remote PED using the IP address of the workstation used to host the PED. This can be the same workstation that hosts the user and backup partition slots, or a different workstation. The workstation used to host the PED must be running pedServer.
2.Start the pedserver service on the workstation used to host the remote PED:
| Windows | C:\Program Files\Safenet\LunaClient> pedserver mode start |
| Linux | /usr/safenet/lunaclient> pedserver mode start |
3.Launch LunaCM on the workstation that hosts the user and backup partition slots.
4.Identify the slot assignments for:
• The <source> user partition you want to backup.
•The <target> admin partition (where all backups are stored).
lunacm:> slot list
If you cannot see both slots, check your connections or configure your client as required.
5.Select the <source> user partition:
lunacm:> slot set -slot <slot_id>
6.Authenticate as the Crypto Officer (CO) to the <source> user partition:
•If the partition is activated, proceed as follows:
i.Log in to the selected <source> user partition as the Crypto Officer (CO):
lunacm:> role login -name co
•If the partition is not activated, proceed as follows:
i.Connect to the SafeNet Luna HSM Client workstation that hosts the PED. If defaults are not ped set, specify an IP address (and port if required; 1503 is default).
lunacm:> ped connect [-ip <pedserver_host_ip>]
ii.Log in to the selected <source> user partition as the Crypto Officer (CO):
lunacm:> role login -name co
iii.Respond to the prompts on the PED to provide the orange (PED vector) key(s) and PIN for the <source> HSM and the black (CO) key(s) and PIN for the CO role on the <source> user partition.
iv.Disconnect the PED session. Note that you will remain logged in to the <source> user partition:
lunacm:> ped disconnect
7.Select the backup HSM Admin partition:
lunacm:> slot set -slot <slot_id>
8.Connect to the SafeNet Luna HSM Client workstation that hosts the PED. If defaults are not ped set, specify an IP address (and port if required; 1503 is default):
lunacm:> ped connect [-ip <pedserver_host_ip>]
9.Select the <source> user partition:
lunacm:> slot set -slot <slot_id>
10.Initiate the backup:
lunacm:> partition archive backup -slot <backup_HSM_admin_slot> [-partition <target_partition_label>]
If you omit the -partition option when creating a new backup, the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>).
11.Respond to the prompts on the PED to insert the following keys:
a.The blue (HSM SO) key for the backup HSM. This is an existing key that was created when the backup HSM was initialized.
b.The blue (Partition SO) key for the <target> backup partition.
– If this is the first time the <source> user partition is being backed up to this backup HSM, you are prompted to initialize the backup Partition SO role by creating a new key or reusing an existing key (SETTING SO PIN). After you initialize the role, you are prompted to insert the key again to log in to the role (SO LOGIN).
–For all subsequent backups, you must present the key used to initialize the backup partition SO role.
c.The red (Domain) key. This must be the same key used for the <source> user partition, otherwise the backup will fail.
d.The black (Crypto Officer) key for the <target> backup partition.
–If this is the first time the <source> user partition is being backed up to this backup HSM, you must first initialize the backup partition CO role. This requires partition SO credentials, so you are prompted for the blue (Partition SO) key. After authenticating as the partition SO, you are prompted to initialize the backup partition CO role by creating a new key or reusing an existing key (SETTING SO PIN). After you initialize the partition CO role, you are prompted to insert the key again to log in to the role (SO LOGIN).
–For all subsequent backups, you must present the key used to initialize the backup partition CO role.
The backup begins once you have completed the authentication process. Objects are backed up one at a time. For existing backups, you can use the following options to define how individual objects are backed up:
| -append | Add only new objects to the existing backup. |
| -replace | Delete the existing objects in the target backup partition and replace them with the contents of the source user partition. This is the default. |
| -append and -replace | Add new objects and replace existing objects that have the same OUID but a different fingerprint (such as would occur if any of the object attributes were changed since the previous backup). |
12.Disconnect the PED from the <source> and <target> HSMs:
a.Disconnect the PED from the <target> backup HSM:
lunacm:> ped disconnect
b.Select the slot for the <source> user partition:
lunacm:> slot set -slot <slot_id>
c.Disconnect the PED from the <source> user partition:
lunacm:> ped disconnect
13.If this is the first backup to the <target> backup partition, use the Duplicate function on the PED to create and label a set of backup keys for the new <target> backup partition PSO (blue) and CO (black) keys. See Duplicating Existing PED Keys for details.
Backing Up a Password-Authenticated Partition
You require a password-authenticated backup HSM to backup a password-authenticated user partition.
Summary
To perform a backup, you connect the backup HSM to the SafeNet Luna HSM Client workstation that hosts the slot for the partition you want to backup, and perform the following tasks:
1.Log in to the <source> user partition as the Crypto Officer (CO).
2.Perform the backup operation and respond to the prompts for the HSM SO, partition SO (PO), crypto officer (CO), and domain passwords for the backup HSM/partition. The backup HSM and the partition you want to restore to must be members of the same domain.
Prerequisites
You require the credentials listed in Backing Up to a Client-Connected G7-Based Backup HSM.
To backup a password-authenticated partition
1.Configure your SafeNet Luna HSM Client workstation as illustrated below:
a.Install the required client software on the SafeNet Luna HSM Client workstation and start LunaCM. See Backing Up to a Client-Connected G7-Based Backup HSM for more information.
b.Connect the backup HSM directly to the SafeNet Luna HSM Client workstation using the included USB cable.
NOTE On most workstations, the USB connection provides adequate power to the backup HSM and it will begin the boot sequence. If you are using a low-power workstation, such as a netbook, the USB connection may not provide adequate power, in which case you will also need to connect the external power supply.
2.Identify the slots assigned to:
• The <source> user partition slot (to be backed up).
•The <target> admin slot (where all backups are stored).
lunacm:> slot list
If you cannot see both slots, check your connections or configure your client as required.
3.Select the <source> user partition:
lunacm:> slot set -slot <slot_id>
4.Log in to the <source> user partition as the Crypto Officer (CO):
lunacm:> role login -name co
5.Initiate backup of the <source> user partition to the <target> backup partition:
lunacm:> partition archive backup -slot <backup_hsm_admin_partition_slot_id> [-partition <target_backup_partition_label>]
If you omit the -partition option when creating a new backup, the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>).
6.You are prompted for the following (you can also enter these options on the command line, although doing so exposes the strings, whereas using the prompts obscures the strings):
•The domain string for the <target> backup partition. The domain must match the domain configured on the <source> user partition.
•The <target> backup partition password. You will create a new password on the initial backup, and use the password for subsequent backups to the <target> backup partition.
•The backup HSM SO password. This is required to create or access the backup partition in the Admin slot.
The backup begins once you have completed the authentication process. Objects are backed up one at a time. For existing backups, you can use the following options to define how individual objects are backed up:
| -append | Add only new objects to the existing backup. |
| -replace | Delete the existing objects in the target backup partition and replace them with the contents of the source user partition. This is the default. |
| -append and -replace | Add new objects and replace existing objects that have the same OUID but a different fingerprint (such as would occur if any of the object attributes were changed since the previous backup). |
