partition backup

Backup the HSM partition contents to a backup HSM. This command copies the contents of a HSM Partition to a special SafeNet backup token. The backup token is initialized during this process. The user is prompted to verify if this destructive command should continue (in case the token has any data on it).

The backup token is initialized to the same access control level as the HSM Partition being backed up.

This command requires the HSM's domain (string or PED Key) and the HSM Partition's Owner password (or PED Key and Partition password). If you chose MofN (values for N and for M greater than 1) at partition creation time, then quantity M of the black key are needed.

Because this is a destructive command (it initializes the backup token) , the user is given the option to proceed/quit before continuing. The SafeNet appliance admin may wish to use the token show command to see the label of a token before issuing this destructive command.

Password-authenticated HSMs

If the passwords and domain aren't provided via the command line, the user is interactively prompted for them. User input is echoed as asterisks. The user is asked to confirm new token Admin and user passwords (if needed).

PED-authenticated HSMs

SafeNet Luna Network HSM with Trusted Path Authentication backup tokens do not use text Partition Passwords in addition to PED Keys – they require only the PED Keys. Also, the passwords and blue/black PED Keys used for the backup token need not be the same as those used with the HSM.

User Privileges

Users with the following privileges can perform this command:

>Admin

>Operator

Syntax

partition backup -partition <name> -tokenpar <name> -serial <serialnum> [-password <password>] [-tokensopwd <password>] [-domain <domain>] [-defaultdomain] [-tokenpw <password>] [-add] [-replace] [-force]

Argument(s) Shortcut Description
-partition <partition_name> -par The name of the HSM partition from which all data/key objects are backed up. Obtain the HSM partition name by using the partition list command.
-tokenpar <backup_partition_name> -tokenpa

This is the name of the partition on the backup HSM, to which the backup objects are to be cloned. If a partition exists on the backup HSM with the name that you provide, here, that partition is selected. If no partition exists with the supplied label, then one is created.

Note: Do not begin your partition label with a numeral. This can later be misinterpreted by some commands as a slot number, rather than a text label, resulting in failure of the command.

-serial <serial_number> -s Specifies the backup token serial number.
-password <partition password> -pas

The application partition Crypto Officer's text password to be used for login. If you do not supply this value on the command line, you are prompted for it.

This parameter is mandatory for password-authenticated HSMs and PED-authenticated HSMs that have created a challenge for the Crypto Officer role. It is ignored for PED-authenticated HSMs that have not created a challenge for the Crypto Officer role.

-tokensopwd<backup_HSM_SO_pwd> -tokens Token Admin (or Security Officer) password. This is the password to be used as login credential for the
Backup HSM's security officer. The token SO password need not be the same password or PED Key as used for the source HSM Admin.
-domain <domain> -do

Specifies the text domain string that was used when creating the partition. This parameter is optional on password-authenticated HSMs. It is ignored on PED-authenticated HSMs. See the notes, below, for more information.

Note 1: For SafeNet Luna HSMs with Trusted Path Authentication, the red PED Key used for initializing the partition on the source HSM must be used for the backup HSM, as well. Ensure that a new domain is not created on the PED Key by answering NO to the Luna PED question “Do you wish to create a new domain?”.

Note 2: When you call for a cloning operation (such as backup or restore), the source HSM transfers a single object, encrypted with the source domain. The target HSM then decrypts and verifies the received blob.

If the verification is successful, the object is stored at its destination – the domains are a match. If the verification fails, then the blob is discarded and the target HSM reports the failure. Most likely the domain string or the domain PED Key, that you used when creating the target partition, did not match the domain of the source HSM partition. The source HSM moves to the next item in the object list and attempts to clone again, until the end of the list is reached.

This means that if you issue a backup command for a source partition containing several objects, but have a mismatch of domains between your source HSM partition and the backup HSM partition, then you will see a separate error message for every object on the source partition as it individually fails verification at the target HSM.

Note 3: If you do not specify a domain in the command line when creating a partition (partition create command), then you are prompted for it.

The character string that you type at the prompt becomes the domain for the partition.

When you run the partition backup command, you are again prompted for a domain for the target partition on the backup HSM. You can specify a string at the command line, or omit the parameter at the command line and specify a string when prompted. The domain that you apply to a backup HSM must match the domain on your source HSM partition.

-defaultdomain -de Use the default domain string. Deprecated. This is retained only for benefit of customers who have previously used the default domain, and are constrained to continue using it, until they create new objects on an HSM with a proper domain. For security reasons, avoid using this option.
-tokenpw <backup_partition_password> -tokenpw

The token user password . This is the equivalent of Crypto Officer password for the backup partition on the Backup HSM.

This parameter is mandatory for password-authenticated HSMs. It is ignored for PED-authenticated HSMs.

-add -a

Add objects to the named backup HSM partition. Incremental backup (append). If any of the source objects already exist on the target partition, they are not duplicated, and they are not overwritten. The system flags an error and continues to the next object.

This parameter is mandatory for pre-existing target partitions, if -replace is not specified.

Note: This parameter is not needed if the target partition did not already exist and is being created by the partition backup command. If the target partition exists, then there is no default - you must specify whether to add/append to whatever exists on the partition, or overwrite it.

-replace -r

Clone objects to the target partition, overwriting whatever might already exist there. This parameter is mandatory for pre-existing target partitions, if -add is not specified.

Note: This parameter is not needed if the target partition did not already exist and is being created by the partition backup command. If the target partition exists, then there is no default - you must specify whether to add/append to whatever exists on the partition, or overwrite it.

-force -f Force the action without prompting.

Example

lunash:>partition backup -partition sa78par1 -tokenpar sa78par1backup -serial 496771

  Please enter the password for the HSM user partition:
  > ********

  Please enter a password for the user on the backup token:
  > ********

  Please enter the cloning domain set when the HSM user partition was created:
  > ********

Object "MT RSA 4096-bit Private KeyGen" (handle 70) cloned to handle 14 on target
Object "MT RSA 4096-bit Public KeyGen" (handle 69) cloned to handle 18 on target
Object "MT RSA 4096-bit Private KeyGen" (handle 53) cloned to handle 19 on target
Object "MT RSA 4096-bit Public KeyGen" (handle 54) cloned to handle 23 on target
Object "MT RSA 4096-bit Private KeyGen" (handle 52) cloned to handle 24 on target
Object "MT RSA 4096-bit Public KeyGen" (handle 47) cloned to handle 28 on target
'partition backup' successful.

Command Result : 0 (Success)