Show the Table of Contents

Administration & Maintenance - Backup & Restore

Restore your HSM Partition - locally

The source options, in restoring to a partition are:

• to restore from a backup partition on a Luna Remote Backup HSM (modern backup and restore)
• to restore from a legacy backup token in a Luna DOCK slot (legacy restore, one way only, using legacy domain "partition setLegacyDomain Command" and "Legacy Domains and Migration" ). This is effectively a migration operation.

The physical arrangements of hardware for restoring a partition locally are:

• If restoring to a Luna PCI-E HSM partition, the source Luna Backup HSM (or a Luna DOCK reader with a legacy Token) containing the objects to be restored to that partition is connected by USB to the host computer
• If restoring to a Luna SA partition, the source Luna Backup HSM (or a Luna DOCK reader with a legacy Token) containing the objects to be restored to that Partition is connected by USB directly to the Luna SA appliance.
  
  OR
  
  
• If restoring to a Luna SA partition, the source Luna Backup HSM (or a Luna DOCK reader with a legacy Token) containing the objects to be restored to that Partition is connected by USB to the workstation, and that workstation is registered as a client (an NTLS link is created by certificate exchange, etc.) of a distant Luna SA partition, and that partition then appears as a "local" slot in lunacm on the workstation, while the Backup HSM or Token appears as another local slot.

To restore one HSM Partition, you must have:

• the Luna Backup HSM (or a legacyToken) containing the objects to be restored to that Partition
• the authentication for the Backup HSM and for the HSM Partition.

The Backup HSM or Token and the HSM with the target Partition must share the same cloning domain.
 

If you have (say) Private Key Cloning switched off for the current Partition, then the Backup operation proceeds, but skips over any private keys, and clones only the permitted objects onto the Backup token. Similarly, if you restore from a token that includes private keys, but the target Partition has Private Key Cloning disallowed, then all other objects are recovered to the Partition, but the private keys are skipped during the operation.

Restore from Backup HSM or legacy Token to a directly-connected Luna SA

1. To restore from Luna Remote Backup HSM, connect the Backup HSM by USB to the Luna SA.
   To restore from a legacy Token, connect the Luna DOCK reader to the Luna SA and insert a Luna Backup token into the token-reader slot.
2. In an SSH lunash:> session, choose an HSM Partition, and type:
   partition restore -partition HSMPartitionname -password ClientPassword -replace
   

The partition restore command on Luna SA assumes a locally-connected backup device. Lunash:> partition commands cannot be used to restore to a backup device connected to another computer - see next example.

Note that in the command above, you could have used -add instead of -replace.

Example – partition restore Command

lunash:> partition restore -partition myRoom -password 9YWt6L56FXqGC6sL -replace

In that example, either the Password came from the Luna PED of a Luna SA with Trusted Path Authentication, or it was a Password Authenticated Partition Password created by someone very enthusiastic about passwords.

On restore, you may add to existing HSM Partition contents or replace them. Adding might result in unwanted behaviors, such as having two keys with the same label, if one existed in the HSM Partition and one on the backup token. The two would be assigned different handles, however.

Restore from Backup HSM or legacy Token to a distant Luna SA, seen as local

LunaClient must be loaded on the workstation that you use for this restore operation, including the Luna SA option so that the vtl utility is available. As well, you should install the Remote PED option, and have a Luna PED (Remote) connected to the workstation, to authenticate to the distant Luna SA partition.

1. To restore from Luna Remote Backup HSM, connect the Backup HSM by USB to your workstation.
   To restore from a legacy Token, connect the Luna DOCK reader to your workstation and insert a Luna Backup token into the token-reader slot.
2. At the workstation, run vtl createcert, to create a client certificate. The Luna SA should already have a server certificate.
3. Exchange certificates (as in config "Configuration - Set up Luna SA and Clients"ure), and register the client with the partition, to establish an NTLS connection. A target partition for the restore operation must exist on the HSM; it is not created by the restore operation.
4. On the workstation, open a lunacm:> session, choose an HSM Partition, and type:
   partition backup restore -slot <backup-hsm-slotnumber> -partition LunaSAPartitionname -password ClientPassword -replace
   

The partition backup restore command in this instance sees a locally-connected backup device as one slot, and sees the distant Luna SA HSM's partition as another "local" slot, because of the NTLS link between the client workstation and the partition.

Note that in the command above, you could have used -add instead of -replace.

On restore, you may add to existing HSM Partition contents or replace them. Adding might result in unwanted behaviors, such as having two keys with the same label, if one existed in the HSM Partition and one on the backup token. The two would be assigned different handles, however.

For each additional restore to a partition on that distant Luna SA, you have already exchanged the certificates, but you must register each partition and your client workstation with each other, before each partition can appear as a slot in lunacm.

See Also

Show the Table of Contents