Show the Table of Contents
Administration & Maintenance - Backup & Restore
Why is Backup optional?
In general, a Luna HSM or HSM Partition is capable of being backed up
to a Luna Backup Token. The backup capability is considered a good and
desirable and necessary thing for keys that carry a high cost to replace,
such as Certificate Authority root keys and root certificates.
However, Backup tokens are optional equipment for Luna SA. There are at least three
reasons for this:
- Some Customers
don't care. They may be using (for example) SSL within a controlled boundary
like a corporation, where it is not a problem to simply tell all employees
to be prepared to trust a new certificate, in the event that the previous
one is lost or compromised. In fact it might be company policy to periodically
jettison old certificates and distribute fresh ones.
Other customers might be using software that manages lost profiles,
making it straightforward to resume work with a new key or cert. The certificate
authority that issued the certificates would need backup, but the individual
customers of that certificate authority would not.
In summary, it might not be worthwhile to backup keys that are low-cost
(from an implementation point of view) to replace. Keys that carry a high
cost to replace should be backed up.
- SIM (Secure Identity
Management or Multi-Million Keys) does not co-exist with standard Luna
cloning function. The SIM Master Secret Key on the HSM can be backed up,
but HSM Partitions are not used in the SIM configuration, so there are
no contents to backup.
- Some countries
do not permit copying of private keys. If you are subject to such laws,
and wish to store encrypted material for later retrieval (perhaps archives
of highly sensitive files), then you would use symmetric keys, rather
than a private/public keypair, for safe and legal backup.
Show the Table of Contents