SafeNet Luna PCIe HSM or USB HSM (5.x or 6.x) to SafeNet Luna PCIe HSM (7.x)

This chapter describes how to migrate your key material from release 5.x or 6.x of the SafeNet Luna PCIe HSM or SafeNet USB HSM partition to release 7.x of the SafeNet Luna PCIe HSM partition. You can migrate your key material using one of the following three methods:

>Backup and Restore

>Cloning

>Cloning Using an HA Group

Backup and Restore

Cryptographic key material can be backed up and then restored to a release 7.x SafeNet Luna PCIe HSM partition using a SafeNet Luna Backup HSM.

The new configuration's operating system must be compatible with both the new 7.x and the old 5.x/6.x hardware. Consult the 5.x/6.x CRN for a list of compatible operating systems.

To backup and restore cryptographic keys from one HSM to another, the HSMs must share the same cloning domain. For password-authenticated HSMs, this domain should have been specified when the partition was initialized. For PED-authenticated HSMs, the red key determines the cloning domain. You will need the same red key that was imprinted during 5.x/6.x partition creation to initialize the 7.x partition (see Initializing an Application Partition).

The 7.x client software should be installed, and the connection to both the source and destination partitions verified, before attempting this procedure (see Luna HSM Client Software Installation for details). The source and destination partitions must both be assigned to the client machine issuing the cloning commands. Use slot list to ensure both partitions are visible to the client.

Preconditions

The following instructions assume that:

>the 7.x client software has been installed

>an uninitialized partition has been created on the 7.x HSM

>the source and destination partitions are both registered with the client (visible)

>the source partition's security policy allows cloning of private and secret keys

In the following example:

>Slot 0: the source 5.x/6.x partition

>Slot 1: the destination 7.x partition

>Slot 2: the Backup HSM partition

NOTE   Partition login name requirements have changed with the hardware versions. With release 7.x , you can log in using the abbreviated po (Partition Security Officer) or co (Crypto Officer).

To migrate cryptographic keys from a 5.x/6.x partition to a 7.x partition using a Backup HSM

Follow these steps to back up all cryptographic material on a 5.x/6.x partition to a Backup HSM, and restore to a new 7.x partition.

1.Run LunaCM, set the current slot to the 7.x partition, and initialize the partition and the Partition SO role.

slot set -slot 0

partition init -label <7.x_partition_label>

a.If you are backing up a PED-authenticated 5.x/6.x partition, use the 5.x/6.x partition's red key when prompted.

b.If you are backing up a password-authenticated 5.x/6.x partition, enter the same cloning domain when prompted.

2.Log in as the po (Partition Security Officer) and initialize the co (Crypto Officer) role.

role login -name po

role init -name co

If you are backing up a PED-authenticated 5.x/6.x partition, you can create an optional challenge secret for the Crypto Officer.

role createchallenge -name co -challengeSecret <password>

3.Connect your backup HSM and make sure it is visible to the client, along with the 5.x/6.x and 7.x HSMs.

4.Set the current slot to the source 5.x/6.x slot.

slot list

slot set -slot 0

5.Log in as the Crypto Officer.

NOTE   Be mindful of whether you’re working with pre-PPSO or PPSO firmware and use the partition login or role login commands as specified below. Also, with PPSO firmware 6.22.0 and up, be careful with user names, i.e., type Crypto Officer in full (is case sensitive) and not co.

a.If you are cloning a release 5.x or 6.x pre-PPSO partition (up to and including Firmware 6.21.2), use:

partition login

b.If you are cloning a release 6.x PPSO partition (Firmware 6.22.0 and up) , use:

role login -name Crypto Officer

6.Optional: To verify the objects in the 5.x/6.x partition to be cloned, issue the “partition contents” command.

partition contents

7.Back up the 5.x/6.x partition contents to the Backup HSM.

partition archive backup -slot 2 -partition <backup_label>

a.If you are backing up a PED-authenticated 5.x/6.x partition, use the 5.x/6.x partition's red key when prompted.

b.If you are backing up a password-authenticated 5.x/6.x partition, enter the same cloning domain when prompted.

Optionally, verify that all objects were backed up successfully on the Backup HSM by checking the partition contents.

8.Set the current slot to the 7.x partition, log in as the Crypto Officer, and restore from backup.

slot set -slot 1

role login -name co

partition archive restore -slot 2 -partition <backup_label>

Afterwards, you can verify the partition contents on the 7.x partition:

partition contents

Cloning

The simplest method of migrating key material to a new 7.x partition is slot-to-slot cloning. This procedure copies all permitted cryptographic material from a 5.x/6.x PCIe or USB HSM partition to a 7.x PCIe HSM partition.

The new configuration's operating system must be compatible with both the new 7.x and the old 5.x/6.x hardware. Consult the 5.x/6.x CRN for a list of compatible operating systems.

To clone cryptographic keys from one HSM to another, the HSMs must share the same cloning domain. For password-authenticated HSMs, this domain should have been specified when the partition was initialized . For PED-authenticated HSMs, the red key determines the cloning domain. You will need the same red key that was imprinted during 5.x/6.x partition creation to initialize the 7.x partition (see Initializing an Application Partition).

The 7.x client software should be installed, and the connection to both the source and destination partitions verified, before attempting this procedure (see Luna HSM Client Software Installation for details). The source and destination partitions must both be assigned to the client machine issuing the cloning commands. Use slot list to ensure both partitions are visible to the client.

If the source partition contains asymmetric keys, its security policy must allow cloning of private and secret keys. Use lunacm:> partition showpolicies to ensure that your source partition's security template allows this. If the 5.x/6.x HSM's security template does not allow cloning of private/secret keys, the HSM Admin may be able to turn this feature on using lunacm:> partition changepolicy.

CAUTION!   Check your source partition policies and adjust them to be sure you can clone private and symmetric keys. Depending on the configuration of your partition and HSM, these policies may be destructive.

Preconditions

The following instructions assume that:

>the 7.x client software has been installed

>an uninitialized partition has been created on the 7.x Network HSM

>the destination 7.x partition must be registered with the client (visible)

>the source 5.x/6.x partition's security policy allows cloning of private and secret keys

In the following examples:

>Slot 0: the source 5.x/6.x partition

>Slot 1: the destination 7.x partition

NOTE   Partition login name requirements have changed with the hardware versions. With release 7.x, you can log in using the abbreviated PO (Partition Security Officer) or CO (Crypto Officer).

To clone cryptographic keys from a 5.x/6.x partition to a 7.x partition

Follow these steps to clone all cryptographic material on a 5.x/6.x partition to a 7.x partition.

1.Run LunaCM, set the current slot to the 7.x partition, and initialize the Partition SO role.

slot list

slot set -slot 1

partition init -label <7.x_partition_label>

a.If you are cloning a PED-authenticated 5.x/6.x partition, use the 5.x/6.x partition's red key when prompted.

b.If you are cloning a password-authenticated 5.x/6.x partition, enter the same cloning domain when prompted.

2.Log in as the po (Partition Security Officer) and initialize the co (Crypto Officer) role.

role login -name po

role init -name co

If you are cloning a PED-authenticated 5.x/6.x partition, you can create an optional challenge secret for the Crypto Officer.

role createchallenge -name co -challengesecret <password>

3.Set the current slot to the source 5.x/6.x slot, log in as the Crypto Officer.

slot set -slot 0

NOTE   Be mindful of whether you’re working with pre-PPSO or PPSO firmware and use the “partition login” or “role login” commands as specified below. Also, with PPSO firmware 6.22.0 and up, be careful with user names, i.e., type “Crypto Officer” in full (is case sensitive) and not "co".

a.If you are cloning a release 5.x or 6.x pre-PPSO partition (up to and including Firmware 6.21.2), use:

partition login

b.If you are cloning a release 6.x PPSO partition (Firmware 6.22.0 and up) , use:

role login -name Crypto Officer

4.Optional: To verify the objects in the 5.x/6.x partition to be cloned, issue the “partition contents” command.

partition contents

5.Clone the objects to the 7.x partition slot (see partition clone for correct syntax).

partition clone -objects 0 -slot 1

Afterward, you can set the current slot to the 7.x partition and verify that all objects have cloned successfully.

slot set -slot 1

role login -name co -password <password>

partition contents

You should see the same number of objects that existed on the 5.x/6.x HSM. You can now decommission the old 5.x/6.x HSM.

Cloning Using an HA Group

High Availability (HA) groups duplicate key material between the HSMs in the group. This function can be used to copy all cryptographic key material from a 5.x/6.x PCIe or USB HSM partition to a new 7.x PCIe HSM partition.

The new configuration's operating system must be compatible with both the new 7.x and the old 5.x/6.x hardware. Consult the 5.x/6.x CRN for a list of compatible operating systems.

To clone cryptographic keys from one HSM to another, the HSMs must share the same cloning domain. For password-authenticated HSMs, this domain should have been specified when the partition was initialized . For PED-authenticated HSMs, the red key determines the cloning domain. You will need the same red key that was imprinted during 5.x/6.x partition creation to initialize the 7.x partition (see Initializing an Application Partition).

The 7.x client software should be installed, and the connection to both the source and destination HSM partitions verified, before attempting this procedure (see Luna HSM Client Software Installation for details). The source and destination partitions must both be assigned to the client machine issuing the cloning commands. Use slot list to ensure both partitions are visible to the client.

NOTE   It is not recommended to maintain an HA group with different versions of the SafeNet Luna Network HSM hardware.

Preconditions

The following instructions assume that:

>the 7.x client software has been installed

>an uninitialized partition has been created on the 7.x Network HSM

>the source and destination partitions are both registered with the client (visible)

In the following examples:

>Slot 0 = the source 5.x/6.x partition

>Slot 1 = the destination 7.x partition

NOTE   Partition login name requirements have changed between hardware versions. With release 7.x, you can log in using the abbreviated po (Partition Security Officer) or co (Crypto Officer).

To clone cryptographic keys from a 5.x/6.x partition to a 7.x partition using an HA group

Follow these steps to copy cryptographic material from an 5.x/6.x partition to a new 7.x partition by creating an HA group that includes both partitions.

1.Run LunaCM, set the current slot to the SA7 partition, and initialize the Partition SO role.

slot set -slot 1

partition init -label <7.x_partition_label>

a.If you are cloning a multi-factor-authenticated (PED-authenticated) 5.x/6.x partition, use the 5.x/6.x partition's red key when prompted.

b.If you are cloning a password-authenticated 5.x/6.x partition, enter the same cloning domain when prompted.

2.Log in as the po (Partition Security Officer) and initialize the co (Crypto Officer) role.

role login -name po

role init -name co

If you are cloning a multi-factor-authenticated (PED-authenticated) 5.x/6.x partition, create a challenge secret for the Crypto Officer. This is required to set an HA activation policy.

role createchallenge -name co -challengesecret <password>

3.Set the current slot to the source 5.x/6.x slot, log in as the Crypto Officer.

slot set -slot 0

NOTE   Be mindful of whether you’re working with pre-PPSO or PPSO firmware and use the partition login or role login commands as specified below. Also, with PPSO firmware 6.22.0 and up, be careful with user names, i.e., type Crypto Officer in full (is case sensitive) and not co.

a.If you are cloning a release 5.x or 6.x pre-PPSO partition (up to and including Firmware 6.21.2), use:

partition login

b.If you are cloning a release 6.x PPSO partition (Firmware 6.22.0 and up) , use:

role login -name Crypto Officer

4.Optional: To verify the objects in the 5.x/6.x partition to be cloned, use:

partition contents

5.Using LunaCM, create an HA group of the 5.x/6.x slot and the 7.x slot.

NOTE   HA requires that all members have an activation policy set. See Activation and Auto-activation on Multi-factor- (PED-) Authenticated Partitions for details.

a.Via LunaSH, log in as Security Officer and set policy 22 on the 5.x/6.x partition:

partition changepolicy -partition <5.x_partition_label> -policy 22 -value 1

b. In LunaCM, log in to the 7.x partition as Partition Security Officer, and set the activation policy from the client machine:

slot set -slot 1

role login -name po

partition changepolicy -policy 22 -value 1

c.Create the HA group with the 5.x/6.x partition as the primary partition. Select the "copy" option to preserve objects.

hagroup creategroup -label <group_label> -slot 0 -password <password>

d.Add the 7.x partition slot to the HA group. Repeat this step to add multiple 7.x partitions to the group.

hagroup addmember -group <group_label> -slot 1 -password <password>

6.Synchronize the group to clone the objects to the 7.x member(s).

hagroup synchronize -group <group_label> -password <password>

7.Check synchronization status of the group.

hagroup listgroups

Notice the entry "Needs sync: no". This means that the objects have been successfully cloned among all members of the HA group. You can also log in to the 7.x slot as the Crypto Officer and check the partition contents.