Backup and Restore Using a G5-Based Backup HSM
SafeNet Luna PCIe HSM allows secure creation, storage, and use of cryptographic data (keys and other objects). It is critically important, however, to safeguard your important cryptographic objects against unforeseen damage or data loss. No device can offer total assurance against equipment failure, physical damage, or human error. Therefore, a comprehensive strategy for making regular backups is essential. There are multiple ways to perform these operations, depending on your implementation.
This section contains the following information:
>Backup and Restore Best Practices
>Planning Your Backup HSM Deployment
>About the SafeNet Luna G5 Backup HSM
•Installing or Replacing the Backup HSM Battery
•Backup HSM Secure Transport and Tamper Recovery
•Resetting the Backup HSM to Factory Conditions
>Backup/Restore Using a Host-Connected G5 Backup HSM
>Configuring a G5 Remote Backup HSM Server
Backup and Restore Best Practices
To ensure that your data is protected in the event of a failure or other catastrophic event, Thales recommends that you use the following best practices as part of a comprehensive backup strategy:
CAUTION! Failure to develop and exercise a comprehensive backup and recovery plan may prevent you from being able to recover from a catastrophic event. Although Thales provides a robust set of backup hardware and utilities, we cannot guarantee the integrity of your backed-up key material, especially if stored for long periods. Thales strongly recommends that you exercise your recovery plan at least semi-annually (every six months) to ensure that you can fully recover your key material.
Develop and document a backup and recovery plan
This plan should include the following:
>What is being backed up
>The backup frequency
>Where the backups are stored
>Who is able to perform backup and restore operations
>Frequency of exercising the recovery test plan
Make multiple backups
To ensure that your backups are always available, build redundancy into your backup procedures.
Use off-site storage
In the event of a local catastrophe, such as a flood or fire, you might lose both your working HSMs and locally-stored backup HSMs. To fully protect against such events, always store a copy of your backups at a remote location.
Regularly exercise your disaster recovery plan
Execute your recovery plan at least semi-annually (every six months) to ensure that you can fully recover your key material. This involves retrieving your stored Backup HSMs and restoring their contents to a test partition, to ensure that the data is intact and that your recovery plan works as documented.