Initialize an HSM with Existing Domain & Shared PED Keys

For two Luna HSMs, the following procedure assumes that you wish to have a set of PED Keys that will work with either HSM. One HSM is already initialized, so you have a full set of PED Keys, imprinted with the authentication data and the domain for that HSM. You want the second HSM to share the same domain (for backup, and the ability to restore to either HSM from a Backup token), and both the old and the new PED Keys should work interchangeably with both HSMs.

For this example procedure, HSMs are designated:

HSM 1, with its PED Keys Blue K1 and Red K1, and

HSM 2, with its PED Keys Blue K2 and Red K2.

Ensure that you can log in to HSM 1 as a Security Officer using Blue K1 (if not, then do not continue with the procedure).
Log out.
Begin initialization of HSM 2.
Insert Blue K1 at the PED prompt, and when asked if you would "like to reuse an existing keyset", answer [YES] on the PED keypad.
Duplicate Blue K1 to Blue K2 when prompted. (That is, when asked “Are you duplicating this keyset”, answer [YES], then insert the target Blue K2).
When “Generating a domain” appears, insert Red K1 at the prompt.
When asked “Would you like to reuse an existing keyset”, answer [YES].
Duplicate Red K1 to Red K2.

The procedure to make a backup of the black PED Key (for HSM Partitions) would be similar to the procedure for the blue PED Key.

You might receive a message that the key is blank, or that it contains valid data (for whatever type of key it was previously) and asking if you wish to overwrite. If the PED has indicated that the target PED Key is occupied and you are not certain that any authentication it contains is obsolete, then you should not allow it to be overwritten. Either remove the current, problematic key, insert another "blank" target key, and press [ENTER], or abort the operation. To abort, remove the PED Key and wait for PED time-out. Do NOT press [ENTER] at the “overwritten” message, if that is not your intent. Retry when you have sorted out your PED Keys and are confident that your target key is blank or contains truly obsolete authentication that can legitimately be overwritten.

If you wish to have a separate set of keys for each HSM, then instead of following the procedure as written you should use the Blue K2 and Black K2 for HSM2 and answer 'NO' to the question “Would you like to reuse an existing keyset?” This will imprint/overwrite the new blue or black keys making them specific to HSM2. For the Red key you should still insert Red K1 and answer 'YES' to the “Would you like to reuse an existing keyset?” question (the token/HSMs must share a common domain, or backup/restore cannot take place).