Backup/Restore Using an Appliance-Connected Backup HSM
You can connect the SafeNet Luna Backup HSM directly to one of the USB ports on the SafeNet Luna Network HSM appliance. This configuration allows you to perform backup/restore operations using LunaSH, via a serial or SSH connection to the appliance. It is useful in deployments where backups are kept in the same location as the HSM. The Crypto Officer must have admin-level access to LunaSH on the appliance. You can restore a partition backup to the original source partition or to another existing Luna application partition that shares the same cloning domain.
NOTE This deployment cannot be used to back up or restore a partition that uses an STC connection. STC partitions must be backed up at the client using LunaCM (see Backup/Restore Using a Client-Connected Backup HSM).
This configuration cannot be used with Remote PED.
This section provides instructions for the following procedures using this kind of deployment:
>Backing Up an Application Partition
>Restoring an Application Partition from Backup
Initializing the Backup HSM
Before you can use the SafeNet Luna Backup HSM to back up your partition objects, it must be initialized. This procedure is analogous to the standard HSM initialization procedure.
Prerequisites
>Install the Backup HSM and connect it to power (see Installing the Backup HSM).
>Ensure that the Backup HSM is not in Secure Transport Mode and that any tamper events are cleared (see Backup HSM Secure Transport and Tamper Recovery).
>[PED Authentication] Ensure that you have enough blank or rewritable blue and red PED keys available for your desired authentication scheme (see Creating PED Keys).
>[Local PED] Connect the PED using a 9-pin Micro-D to Micro-D cable. Set the PED to Local PED-SCP mode (see Modes of Operation).
To initialize a locally-connected Backup HSM using LunaSH on the SafeNet Luna Network HSM
1.Log in to LunaSH as admin, or an admin-level custom user.
2.[Optional] View the SafeNet Luna Backup HSMs currently connected to the appliance and find the correct serial number.
lunash:> token backup list
3.Initialize the Backup HSM by specifying its serial number and a label.
lunash:> token backup init -serial <serialnum> -label <label>
You are prompted to set the HSM SO credential and cloning domain for the Backup HSM.
Backing Up an Application Partition
You can use LunaSH to back up the contents of an application partition to the locally-connected SafeNet Luna Backup HSM. You can use this operation to create a backup on the Backup HSM, or add objects from the source partition to an existing backup.
Prerequisites
>The Backup HSM must be initialized (see Initializing the Backup HSM).
>You must have admin or admin-level access to LunaSH on the SafeNet Luna Network HSM.
>Partition policy 0: Allow private key cloning must be set to 1 (ON) on the source partition.
>You must have the Crypto Officer credential
>[Local PED] Connect the PED to the SafeNet Luna Network HSM using a Mini-B to USB-A cable (see Local PED Setup), and to the Backup HSM using a 9-pin Micro-D to Micro-D cable. Set the PED to Local PED-USB mode (see Modes of Operation).
To back up an application partition to a locally-connected Backup HSM using LunaSH
1.Log in to LunaSH as admin, or an admin-level custom user.
2.[Optional] View the SafeNet Luna Backup HSMs currently connected to the appliance and find the correct serial number.
lunash:> token backup list
3.Back up the partition, specifying the source partition label, a label for the backup (either a new or existing label), and the Backup HSM serial number. If you specify an existing backup, include the -add option to add new objects to the backup (duplicate objects will not be cloned). By default, the existing backup will be overwritten with the current contents of the source partition.
lunash:> partition backup -partition <source_label> -tokenpar <target_label> -serial <Backup_HSM_serialnum> [-add]
You are prompted for the source partition's Crypto Officer credential
4.[Local PED] LunaSH prompts you to connect the Luna PED to the Backup HSM. Set the mode on the Luna PED to Local PED-SCP (see Modes of Operation). Enter proceed in LunaSH.
You are prompted to set the following credentials:
•Crypto Officer (password or black PED key) for the backup (can be the same as the source partition)
•Cloning domain (string or red PED key) for the backup (must be the same as the source partition)
The partition contents are cloned to the backup.
Restoring an Application Partition from Backup
You can use LunaSH to restore the contents of a backup to the original application partition, or any other Luna application partition that shares the same cloning domain.
Prerequisites
>The target partition must be initialized with the same cloning domain as the backup.
>You must have admin or admin-level access to LunaSH on the SafeNet Luna Network HSM.
>Partition policy 0: Allow private key cloning must be set to 1 (ON) on the target partition.
>You must have the Crypto Officer credentials
>[Local PED] Connect the PED to the SafeNet Luna Network HSM using a Mini-B to USB-A cable (see Local PED Setup), and to the Backup HSM using a 9-pin Micro-D to Micro-D cable. Set the PED to Local PED-USB mode (see Modes of Operation).
To restore the contents of a backup to an application partition
1.Log in to LunaSH as admin, or an admin-level custom user.
2.[Optional] View the SafeNet Luna Backup HSMs currently connected to the appliance and find the correct serial number.
lunash:> token backup list
3.[Optional] View the backups currently available on the Backup HSM.
lunash:> token backup partition list -serial <Backup_HSM_serialnum>
4.Restore the partition contents, specifying the target partition label, the backup label, the Backup HSM serial number, and either:
•-add to keep the existing partition contents and add new objects only
•-replace to erase the partition contents and replace them with the backup
lunash:> partition restore -partition <target_label> -tokenpar <backup_label> -serial <Backup_HSM_serialnum> {-add | -replace}
You are prompted for the target partition's Crypto Officer credential
5.[Local PED] LunaSH prompts you to connect the Luna PED to the Backup HSM. Change the mode on the Luna PED to Local PED-SCP (see Modes of Operation). Enter proceed in LunaSH.
You are prompted for the backup's Crypto Officer credential
The backup contents are cloned to the application partition.