Administration & Maintenance - Backup & Restore
HSM Partition backup securely clones Partition objects from a named HSM Partition, to a Luna Remote Backup HSM (that device is used whether you back up remotely or locally). This allows you to safely and securely preserve important keys, certificates, etc., away from the Luna appliance. It also allows you to restore the backup device's contents onto more than one HSM Partition, if you wish to have multiple Partitions with identical contents.
HSM Partition backup command with the "add" option is a non-destructive process, where the contents of your HSM partition are copied to a matching partition on Luna Remote Backup HSM, adding new/changed objects to any that already exist on (that partition of) the backup device.
HSM Partition backup with the "replace" option is a destructive process (destructive to any material that might already exist on the target Backup partition - it does not affect objects on the Partition that is being backed-up).
Backup for Luna SA 5 uses Luna Remote Backup HSM to backup and restore individual partitions.
The Backup device is a separately powered unit that can connect to the HSM in one of two ways:
Luna SA sees the Luna Remote Backup HSM as an additional crypto slot or slots.
The backup operation looks a lot like the restore operation, because they are basically the same event, merely in different directions.
For local backup, connect Luna Remote Backup HSM to a power source, and via USB cable to the Luna SA USB port.
For remote backup, connect Luna Remote Backup HSM to a power source, and via USB cable to a USB port on your computer.
In both cases, the cable attaches to the port on the back panel of Luna Remote Backup HSM, which requires a mini-USB at that end of the cable (similar cable as used to connect computers to cameras, cellphones, etc.)
For PED-authenticated HSMs - At the front panel, connect the Luna PED, using the supplied cable between the micro-D subminiature (MDSM) connector on top of the PED, and the matching MDSM connector on the front panel of Luna Remote Backup HSM (the connector labeled "PED").
External HSMs (Token-style and G5 style)
You can connect a Luna DOCK2 card reader for use with Luna Backup tokens or Luna CA4 tokens (legacy G4 (generation 4) PCMCIA removable token-format HSMs).
The first was used to backup legacy Luna SA 4.x HSMs and can be connected to Luna SA 5 to restore the legacy key material as part of a one-way migration.
The second is used for the PKI bundle function, where the token-style HSM in the externally connected reader becomes available as a crypto slot of the Luna SA appliance. The PKI function also supports the more modern Luna G5 HSM as the externally connected PKI slot(s).
The following caveats apply:
1) The "token backup" commands can see and manage only the backup device, and NOT PKI devices.
2) The "token pki" commands can see and manage only the PKI devices, and NOT backup devices.
3) The PKI device must use PED authentication only, to be deployed.
4) Luna SA 5.x supports three (3) USB connections at one time, and thus three (3) backup/PKI devices. For example, you could attach one backup token and two PKI tokens, or three PKI tokens.
5) The "token pki update" commands update the capability and firmware for PKI devices.
6) The process to move keys off G4 token HSMs (Luna CA4) is to migrate the keys to a K6 HSM (either the K6 inside Luna SA, or the standalone K6 (Luna PCI-E 5.x)) and then to Luna G5. Cloning between G4 and G5 devices is not supported.
Issue the command "partition backup...".
Identify the partition to be backed up (source), and the partition that will be created (or added to) on the Backup HSM - the Token Partition Name.
Specify whether to add only unique objects (objects that have not previously been saved onto the target partition), or to completely replace the target partition (overwrite it).
If you are using Luna Shell (lunash:>) on Luna SA, the command is:
lunash:>partition backup -partition <name> -tokenPar <name> [-password <password>] [-tokenPw <password>] [-domain <domain>] [-add] [-replace] [-force]
If you are using lunacm:> on a workstation, the command is:
lunacm:> partition backup backup -slot <slot> -pas <password> -par <backup partition>
The lunacm:> version assumes that the target partition already exists with the appropriate domain, while the lunash:> version expects you to provide the domain, or prompts for it if it is not provided.
If the target partition exists on the Backup HSM, then it must already share its partition domain with the source partition.
If the target partition is being created, then it takes the domain of the source partition.
Multiple partitions, with different domains, can exist on a single Luna Remote Backup HSM.
As with backup operations, restore operations can take place only where the source and target partitions have the same domain.
No cross-domain copying (backup or restore) is possible - there is no way to "mix and match" objects from different domains.
If a matching target partition exists and the source partition is being incrementally backed up - choosing the "add" option in the command - then the target partition is not erased. Only source objects with unique IDs are copied to the target (backup) partition, adding them to the objects already there.
If a matching target partition exists and the source partition is being fully backed up - choosing the "replace" option in the command - then the existing partition is erased and a new one created.
Luna Remote Backup HSM creates a partition with matching authentication type to the Luna SA partition that is being backed up.
That does not work in the opposite direction, however. Luna Remote Backup Device can restore a partition (or contents of a partition) only to a Luna SA of matching authentication type.
You cannot mix partition authentication types on one backup device. That is, if you have a PED-authenticated HSM and a Password-authenticated HSM, you require in order to have a backup of each HSM's partitions. There is no possibility of backing up data from a higher-security device (Trusted Path, PED-authenticated, FIPS-3) onto a lower-security device (Password protected, FIPS-2).
However, for HSMs of the same authentication type, you could backup (or restore) partitions from different HSMs onto a single Luna Remote Backup HSM, as long as there is sufficient room. Given that the type matches, the authentication (domain) is handled at the partition level.
Backup can co-exist with PKI Bundle operation. That is, multiple devices can be connected simultaneously to the Luna appliance (three USB connectors). Thus, you could connect a Luna Remote Backup HSM, a Luna DOCK 2 (with Luna CA4 tokens in its reader slots), and a Luna G5 HSM to the three available USB connectors on the Luna SA.
Remote backup and restore follow the rules for local backup and restore, with some additional considerations.
When used in Remote mode, Luna Remote Backup HSM is connected via USB to a workstation computer. That computer must be running the service to set up a secure link between the Backup HSM and the HSM associated with the remotely located Luna appliance.
As of Luna HSM 5.2 release, it is convenient to use a single Luna PED [Remote] for PED interaction with both local and remote HSMs.
. . . are on this page "Backup your HSM Partition Locally".
. . . and "Restore your HSM Partition - locally "
. . . and "Backup your HSM Partition Remotely".
. . . and "Restore Your HSM Partition Remotely"
[QUESTION] Is Luna Remote Backup HSM capable of backing up multiple Luna SA devices or is it a one-to-one relationship? For example, if we had two Luna SA devices each with two partitions, could we backup all four partitions to a single Backup HSM? If yes, do they need to be under the same domain?
[ANSWER] One Luna Remote Backup HSM can back up multiple Luna SAs. The domains on those Luna SAs do not need to match each other (although they can, if desired), since domains can be partition-specific. The only domains that must match are those on any given Luna SA partition and its backup partition on the Luna Remote Backup HSM. With that said, the limit on quantity of backup of partitions from multiple appliances is the remaining space available on the Backup HSM.
[QUESTION] Can a Luna Remote Backup HSM keep multiple backups of a single partition? For example, could we perform a backup of a partition one month and then back it up again next month without overwriting the previous month?
[ANSWER] Yes, you can do this as long as each successive backup partition (target) is given a unique name.
Backup HSM-Battery Installation
Luna Backup or Luna G5 HSM Battery Questions
Restore your HSM non-Partition objects from Backup
Backup your HSM Partition Locally
Prepare RBS to Support Remote Backup / Restore
Backup your HSM Partition Remotely with RBS
Restore Your HSM Partition Remotely
What is this Error about "token not in factory reset state"?