SafeNet PCIe HSM (5.x or 6.x) to SafeNet Luna Network HSM (7.x)
This chapter describes how to migrate your key material from a release 5.x or 6.x SafeNet PCIe HSM partition to a release 7.x SafeNet Luna Network HSM partition. You can migrate your key material using one of the following methods:
Backup and Restore
Cryptographic key material can be backed up from a release 5.x or 6.SafeNet Luna PCIe HSM partition and then restored to a release 7.x SafeNet Luna Network HSM partition using a SafeNet Luna Backup HSM. The following procedure performs a backup of a 5.x/6.x partition on an older operating system to a SafeNet Luna Backup HSM. The Backup HSM is then moved to a newer operating system where the 5.x/6.x key material is restored to a 7.x partition.
Consult the 5.x/6.x/7.x CRN for a list of compatible operating systems.
To clone cryptographic keys from one HSM to another, the HSMs must share the same cloning domain. For password-authenticated HSMs, this domain should have been specified when the 5.x/6.x partition was initialized. For PED-authenticated HSMs, the red key determines the cloning domain. You will need the same red key that was imprinted during 5.x/6.x partition creation to initialize the 7.x partition (see Initializing an Application Partition).
HSM Client software must be installed on both operating systems (older and new) before attempting this procedure (see Luna HSM Client Software Installation for details). The destination partition must be assigned to the client machine
Preconditions
On the older operating system, the following instructions assume that:
>5.x/6.x HSM Client Software is installed with "SafeNet Luna Backup HSM" option selected.
>the source 5.x/6.x partition is visible
>the source partition's security policy allows cloning of private and secret keys
>the destination Backup HSM partition is visible
On the new operating system, the following instructions assume that:
>7.x HSM Client Software is installed with "SafeNet Luna Backup HSM" option selected.
>you have created an uninitialized partition on the 7.x Network HSM
>the destination 7.x partition is registered with the client software (visible)
>the source Backup HSM partition's security policy allows cloning of private and secret keys
Slots used in the following instructions:
On the older operating system running 5.x/6.x client software:
•Slot 0: the source 5.x/6.x partition
•Slot 2: the destination SafeNet Luna Backup HSM partition
On the new operating system running 7.x client software:
•Slot 1: the destination 7.x partition
•Slot 2: the source Backup HSM partition (with the backup of the 5.x/6.x partition)
NOTE Partition login name requirements have changed with the hardware versions. With release 7.x , you can log in using the abbreviated po (Partition Security Officer) or co (Crypto Officer).
To backup/restore cryptographic keys from a 5.x/6.x partition to a 7.x partition using a Backup HSM
Follow these steps to back up all cryptographic material on a 5.x/6.x partition to a SafeNet Luna Backup HSM, and restore to a new 7.x partition.
1.On the old operating system running 5.x/6.x client software, run LunaCM and set the current slot to the 5.x/6.x partition.
slot list
slot set -slot 0
2.Log in as the Crypto Officer.
NOTE Be mindful of whether you’re working with pre-PPSO or PPSO firmware and use the “partition login” or “role login” commands as specified below. Also, with PPSO firmware 6.22.0 and up, be careful with user names, i.e., type “Crypto Officer” in full (is case sensitive) and not "co".
a.If you are backing up a release 5.x or 6.x pre-PPSO partition (up to and including Firmware 6.21.2), use:
partition login
b.If you are backing up a release 6.x PPSO partition (Firmware 6.22.0 and up), use:
role login -name Crypto Officer
3.Optional: To verify the objects in the 5.x/6.x partition to be backed up, use:
partition contents
4.Back up the 5.x/6.x partition contents to the SafeNet Luna Backup HSM.
partition archive backup -slot 2 -partition <backup_label>
a.If you are backing up a PED-authenticated 5.x/6.x partition, use the 5.x/6.x partition's red key when prompted.
b.If you are backing up a password-authenticated 5.x/6.x partition, enter the same cloning domain when prompted.
Optionally, verify that all objects were backed up successfully on the SafeNet Luna Backup HSM by issuing the partition contents command.
5.Move the SafeNet Luna Backup HSM (with the backup of the 5.x/6.x partition) to the new operating system running the 7.x client software, and make sure it is visible to the client along with the 7.x HSM.
6.On the new operating system running the 7.x client software, run LunaCM, set the current slot to the 7.x partition, and initialize the partition and the PPSO role.
slot set -slot 1
partition init -label <7.x_partition_label>
a.If you are backing up a PED-authenticated 5.x/6.x partition, use the 5.x/6.x partition's red key when prompted.
b.If you are backing up a password-authenticated 5.x/6.x partition, enter the same cloning domain when prompted.
7.Log in as the po (Partition Security Officer) and initialize the co (Crypto Officer) role.
role login -name po
role init -name co
If you are backing up a PED-authenticated 5.x/6.x partition, you can create an optional challenge secret for the Crypto Officer.
role createchallenge -name co -challengesecret <password>
8.Set the current slot to the 7.x partition, log in as the Crypto Officer, and restore from backup.
slot set -slot 1
role login -name co
partition archive restore -slot 2 -partition <backup_label>
Afterwards, you can verify the partition contents on the 7.x partition:
partition contents
Cloning
The simplest method of migrating key material to a new 7.x partition is slot-to-slot cloning. This procedure copies all permitted cryptographic material from a 5.x/6.x PCIe HSM partition to a 7.x Network HSM partition.
The new configuration's operating system must be compatible with both the new 7.x and the old 5.x/6.x hardware. Consult the 5.x/6.x CRN for a list of compatible operating systems.
To clone cryptographic keys from one HSM to another, the HSMs must share the same cloning domain. For password-authenticated HSMs, this domain should have been specified when the partition was initialized . For PED-authenticated HSMs, the red key determines the cloning domain. You will need the same red key that was imprinted during 5.x/6.x partition creation to initialize the 7.x partition (see Initializing an Application Partition).
The 7.x client software should be installed, and the connection to both the source and destination partitions verified, before attempting this procedure (see Luna HSM Client Software Installation for details). The destination partition must be assigned to the client machine issuing the cloning commands
If the source partition contains asymmetric keys, its security policy must allow cloning of private and secret keys. Use the command partition showpolicies in LunaCM to ensure that your source partition's security template allows this (see partition showpolicies). If the 5.x/6.x HSM's security template does not allow cloning of private/secret keys, the HSM Admin may be able to turn this feature on using partition changepolicy (see partition changepolicy).
If the source partition contains asymmetric keys, its security policy must allow cloning of private and secret keys. Use lunacm:> partition showpolicies to ensure that your source partition's security template allows this. If the 5.x/6.x HSM's security template does not allow cloning of private/secret keys, the HSM Admin may be able to turn this feature on using lunacm:> partition changepolicy.
CAUTION! Check your source partition policies and adjust them to be sure you can clone private and symmetric keys. Depending on the configuration of your partition and HSM, these policies may be destructive.
Preconditions
On the operating system running 5.x/6/x client software, verify:
>that the 5.x/6.x PCIe HSM partition's security policy allows cloning of private and secret keys
>all key material on the 5.x/6.x PCIe HSM partition to be cloned
Regarding the operating system running 7.x client software, the following instructions assume that:
>the 7.x client software has been installed with "SafeNet Luna PCIe HSM" option selected.
>an uninitialized partition has been created on the 7.x HSM
>the destination 7.x HSM partition must be registered with the client (visible)
>the SafeNet Luna PCIe HSM card (with 5.x/6.x key material) has been installed
Slots used in the following instructions:
>Slot 0: the source 5.x/6.x SafeNet Luna PCIe HSM partition
>Slot 1: the destination 7.x partition
NOTE Partition login name requirements have changed with the hardware versions. With release 7.x, you can log in using the abbreviated po (Partition Security Officer) or co (Crypto Officer).
To clone cryptographic keys from a 5.x/6.x partition to a 7.x partition
Follow these steps to clone all cryptographic material on a 5.x/6.x partition to a 7.x partition.
1.Run LunaCM, set the current slot to the 7.x partition, and initialize the Partition SO role.
slot list
slot set -slot 1
partition init -label <7.x_partition_label>
a.If you are cloning a PED-authenticated 5.x/6.x partition, use the 5.x/6.x partition's red key when prompted.
b.If you are cloning a password-authenticated 5.x/6.x partition, enter the same cloning domain when prompted.
2.Log in as the po (Partition Security Officer) and initialize the co (Crypto Officer) role.
role login -name po
role init -name co
If you are cloning a PED-authenticated 5.x/6.x partition, you can create an optional challenge secret for the Crypto Officer.
role createchallenge -name co -challengesecret <password>
3.Set the current slot to the source 5.x/6.x slot, log in as the Crypto Officer.
slot set -slot 0
NOTE Be mindful of whether you’re working with pre-PPSO or PPSO firmware and use the “partition login” or “role login” commands as specified below. Also, with PPSO firmware 6.22.0 and up, be careful with user names, i.e., type “Crypto Officer” in full (is case sensitive) and not "co".
a.If you are cloning a release 5.x or 6.x pre-PPSO partition (up to and including Firmware 6.21.2), use:
partition login
b.If you are cloning a release 6.x PPSO partition (Firmware 6.22.0 and up) , use:
role login -name Crypto Officer
4.Optional: To verify the objects in the 5.x/6.x partition to be cloned, issue the “partition contents” command.
partition contents
5.Clone the objects to the 7.x partition slot (see partition clone for correct syntax).
partition clone -objects 0 -slot 1
Afterward, you can set the current slot to the 7.x partition and verify that all objects have cloned successfully.
slot set -slot 1
role login -name co -password <password>
partition contents
You should see the same number of objects that existed on the 5.x/6.x HSM. You can now decommission the old 5.x/6.x HSM.