Planning Your Backup HSM Deployment

When setting up your backup deployment, you have multiple configuration options. This section will help you choose the right configuration for your organization, depending on where you prefer to keep your backups. You can use a SafeNet Luna Backup HSM or an application partition on any other Luna HSM for backup/restore operations.

Backup and restore operations require that cloning be enabled on the HSM/partition.

>Partition to Partition

>Backup HSM Connected to the Appliance

>Backup HSM Connected to the Client Workstation

>Backup HSM Installed Using Remote Backup Service (RBS)

NOTE   The diagrams below depict the client workstation as the remote PED server, but you can also use a separate remote PED station. Since remote PED is supported on Windows clients only, this will be necessary if you use Linux/UNIX clients.

Partition to Partition

You can clone objects from any Luna 7 application partition to any other Luna 7 partition that shares its cloning domain. You must have the Crypto Officer credential for both partitions. Both partitions must use the same authentication method (either password or PED).

See Cloning Objects to Another Application Partition.

Backup HSM Connected to the Appliance

In this configuration, the SafeNet Luna Backup HSM is connected directly to one of the USB ports on the SafeNet Luna Network HSM appliance. It is useful in deployments where backups are kept in the same location as the HSM. Backup and restore operations are performed using LunaSH commands via a serial or SSH connection. The Crypto Officer must have admin-level access to LunaSH on the appliance to use this configuration.

Figure 1: Locally-connected Backup HSM using password authentication

 

Figure 2: Locally-connected Backup HSM using local PED authentication

NOTE   This configuration cannot be used to back up or restore a partition that uses an STC connection. STC partitions must be backed up at the client using LunaCM.

This configuration cannot be used with Remote PED.

See Backup/Restore Using an Appliance-Connected Backup HSM.

Backup HSM Connected to the Client Workstation

In this configuration, the SafeNet Luna Backup HSM is connected to a USB port on the client workstation. It is useful in deployments where the partition Crypto Officer keeps backups at the client. This allows you to perform backup/restore operations for all application partitions that appear as visible slots in LunaCM. You can restore a partition backup to the original source partition or to another existing Luna application partition that shares the same cloning domain.

Figure 3: Client-connected backup HSM using password authentication

 

Figure 4: Client-connected backup HSM using remote PED authentication

See Backup/Restore Using a Client-Connected Backup HSM.

Backup HSM Installed Using Remote Backup Service (RBS)

In this configuration, the SafeNet Luna Backup HSM is connected to a remote client workstation that communicates with the client via the Remote Backup Service (RBS). It is useful in deployments where backups are stored in a separate location from the SafeNet Luna Network HSM, to mitigate the consequences of catastrophic loss (fire, flood, etc).

Figure 5: Remote backup (RBS) using password authentication

 

Figure 6: Remote backup (RBS) using remote PED authentication at the client

 

Figure 7: Remote backup (RBS) using remote PED authentication at the RBS server

See Configuring a Remote Backup HSM Server.


Customer Support Portal

SafeNet Luna Network HSM 10.1 Product Documentation  23 January 2020  Copyright 2001-2020 Thales Group. All rights reserved.