Administration & Maintenance - Managing PED Keys
For two Luna HSMs, the following procedure assumes that you wish to have a set of PED Keys that will work with either HSM. One HSM is already initialized, so you have a full set of PED Keys, imprinted with the authentication data and the domain for that HSM. You want the second HSM to share the same domain (for backup, and the ability to restore to either HSM from a Backup token), and both the old and the new PED Keys should work interchangeably with both HSMs.
For this example procedure, HSMs are designated:
The procedure to make a backup of the black PED Key (for HSM Partitions) would be similar to the procedure for the blue PED Key.
You might receive a message that the key is blank, or that it contains valid data (for whatever type of key it was previously) and asking if you wish to overwrite. If the PED has indicated that the target PED Key is occupied and you are not certain that any authentication it contains is obsolete, then you should not allow it to be overwritten. Either remove the current, problematic key, insert another "blank" target key, and press [ENTER], or abort the operation. To abort,
remove the PED Key and wait for PED time-out. Do NOT press
[ENTER] at the “overwritten” message, if that is not your intent. Retry when you have sorted out your PED Keys and are confident that your target key is blank or contains truly obsolete authentication that can legitimately be overwritten.
If you wish to have a separate set of keys for each HSM, then instead of following the procedure as written you should use the Blue K2 and Black K2 for HSM2 and answer 'NO' to the question “Would you like to reuse an existing keyset?” This will imprint/overwrite the new blue or black keys making them specific to HSM2. For the Red key you should still insert Red K1 and answer 'YES' to the “Would you like to reuse an existing keyset?” question (the token/HSMs must share a common domain, or backup/restore cannot take place).