Backup/Restore Using a Client-Connected Backup HSM

You can connect the SafeNet Luna Backup HSM to a USB port on the client workstation. This configuration allows you to perform backup/restore operations for all application partitions that appear as visible slots in LunaCM. It is useful in deployments where the partition Crypto Officer wants to keep backups at the client. You can restore a partition backup to the original source partition or to another existing Luna application partition that shares the same cloning domain.

This section provides instructions for the following procedures using this kind of deployment:

>Initializing the Backup HSM

>Backing Up an Application Partition

>Restoring an Application Partition from Backup

Initializing the Backup HSM

Before you can use the SafeNet Luna Backup HSM to back up your partition objects, it must be initialized. This procedure is analogous to the standard HSM initialization procedure.

Prerequisites

>Install the Backup HSM at the client and connect it to power (see Installing the Backup HSM).

>Ensure that the Backup HSM is not in Secure Transport Mode and that any tamper events are cleared (see Backup HSM Secure Transport and Tamper Recovery).

>[PED Authentication] Ensure that you have enough blank or rewritable blue and red PED keys available for your desired authentication scheme (see Creating PED Keys).

•[Local PED] Connect the PED using a 9-pin Micro-D to Micro-D cable. Set the PED to Local PED-SCP mode (see Modes of Operation).

•[Remote PED] Initialize the Backup HSM RPV (see Initializing the Backup HSM Remote PED Vector). You require the orange PED key.

•[Remote PED] Set up a Remote PED server to authenticate the Backup HSM (see Remote PED Setup).

To initialize a client-connected Backup HSM

1.Launch LunaCM on the client workstation.

2.Set the active slot to the SafeNet Luna Backup HSM.

lunacm:> slot set -slot <slotnum>

3.[Remote PED] Connect the Backup HSM to the Remote PED server.

lunacm:> ped connect -ip <PEDserver_IP> -port <portnum>

4.Initialize the Backup HSM, specifying a label and the method of authentication (-initwithped or -initwithpwd). You must initialize the HSM with the same authentication method as the partition(s) you plan to back up.

lunacm:> hsm init -label <label> {-initwithped | -initwithpwd}

You are prompted to set an HSM SO credential and cloning domain for the Backup HSM.

Backing Up an Application Partition

You can use LunaCM to back up the contents of an application partition to the client-connected SafeNet Luna Backup HSM. You can use this operation to create a backup on the Backup HSM, or add objects from the source partition to an existing backup.

Prerequisites

>The Backup HSM must be initialized (see Initializing the Backup HSM).

>Partition policy 0: Allow private key cloning must be set to 1 (ON) on the source partition.

>You must have the Crypto Officer credential (black PED key) and domain (red PED key) for the source partition.

>You must have the Backup HSM SO credential (blue PED key).

>[PED Authentication] This procedure is simpler if the source partition is activated (see Activation and Auto-activation on Multi-factor- (PED-) Authenticated Partitions), since you require a Luna PED only for the Backup HSM.

•[Local PED] Connect the PED to the Backup HSM using a 9-pin Micro-D to Micro-D cable. The source partition must be activated. If not, you must use Remote PED.

•[Remote PED] You must have the orange PED key for the Backup HSM (see Initializing the Backup HSM Remote PED Vector). If the source partition is not activated, you may need the orange PED key for the SafeNet Luna Network HSM as well.

•[Remote PED] Set up Remote PED on the workstation you plan to use for PED authentication (see Remote PED Setup). If the partition is not activated, you must connect to PEDserver with ped connect before logging in, and disconnect with ped disconnect before initiating the backup.

To back up an application partition to a client-connected Backup HSM

1.Launch LunaCM on the client workstation.

2.Set the active slot to the source partition and log in as Crypto Officer.

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name co

3.[PED Authentication] Connect the Backup HSM to the Luna PED.

•[Local PED] Set the mode on the Luna PED to Local PED-SCP (see Modes of Operation).

•[Remote PED] Connect the Backup HSM slot to PEDserver.

lunacm:> ped connect -slot <Backup_HSM_slotnum> -ip <PEDserver_IP> -port <portnum>

4.Back up the partition, specifying the Backup HSM slot and a label for the backup (either a new or existing label). If you specify an existing backup label, include the -append option to add only new objects to the backup (duplicate objects will not be cloned). By default, the existing backup will be overwritten with the current contents of the source partition.

lunacm:> partition archive backup -slot <Backup_HSM_slotnum> -partition <backup_label> [-append]

You are prompted to present or set the following credentials:

•[Remote PED] Backup HSM Remote PED vector (orange PED key)

•Backup HSM SO (password or blue PED key)

•Crypto Officer (password or black PED key) for the backup (can be the same as the source partition)

•Cloning domain (string or red PED key) for the backup (must be the same as the source partition)

The partition contents are cloned to the backup.

5.[Remote PED] Disconnect the Backup HSM from PEDserver.

lunacm:> ped disconnect

Restoring an Application Partition from Backup

You can use LunaCM to restore the contents of a backup to the original application partition, or any other Luna application partition that shares the same cloning domain.

Prerequisites

>The target partition must be initialized with the same cloning domain as the backup partition.

>Partition policy 0: Allow private key cloning must be set to 1 (ON) on the target partition.

>You must have the Crypto Officer credentials for the backup partition and the target partition.

>[PED Authentication] This procedure is simpler if the application partition is activated (see Activation and Auto-activation on Multi-factor- (PED-) Authenticated Partitions), since you require a Luna PED only for the Backup HSM.

•[Local PED] Connect the PED to the Backup HSM using a 9-pin Micro-D to Micro-D cable. The source partition must be activated. If not, you must use Remote PED.

To restore the contents of a backup to an application partition

1.Launch LunaCM on the client workstation.

2.Set the active slot to the target partition and log in as Crypto Officer.

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name co

3.[PED Authentication] Connect the Backup HSM to the Luna PED.

•[Local PED] Set the mode on the Luna PED to Local PED-SCP (see Modes of Operation).

•[Remote PED] Connect the Backup HSM slot to PEDserver.

lunacm:> ped connect -slot <Backup_HSM_slotnum> -ip <PEDserver_IP> -port <portnum>

4.[Optional] Display the available backups by specifying the Backup HSM slot. Each available backup also appears as a slot in LunaCM.

lunacm:> partition archive list -slot <Backup_HSM_slotnum>

5.[Optional] Display the contents of a backup by specifying the Backup HSM slot and the backup partition label in LunaCM.

lunacm:> partition archive contents -slot <backup_slotnum> -partition <backup_label>

6.Restore the partition contents, specifying the Backup HSM slot and the backup you wish to use. By default, duplicate backup objects with the same OUID as objects currently existing on the partition are not restored. If you have changed attributes of specific objects since your last backup and you wish to revert these changes, include the -replace option.

lunacm:> partition archive restore -slot <Backup_HSM_slotnum> -partition <backup_label> [-replace]

You are prompted for the backup's Crypto Officer credential.

The backup contents are cloned to the application partition.