|
Home > |
|---|
The Luna Backup HSM is physically similar to the Luna G5 HSM, but is used exclusively to securely backup sensitive material from Luna HSMs, and to restore backed-up material to Luna HSMs. Some important characteristics are:
•The Luna Backup HSM can be connected locally, by USB cable, to the primary HSM, or it can be connected to a server and used to backup from, and restore to, remotely located primary HSMs.
•The Luna Backup HSM takes on the authentication type of the primary HSM with which it is paired for backup - so it becomes a Password-authenticated Backup HSM (sometimes called the FIPS 140-2 level 2 version) when backing up a Password-authenticated primary HSM, and the same Luna Backup HSM becomes a PED-authenticated Backup HSM (sometimes called the FIPS 140-2 level 3 version) when backing up a PED-authenticated primary HSM.
•The Luna Backup HSM performs backup and restore operations only; it is not capable of cryptographic operations, and cannot (for example) be substituted for a Luna G5 HSM.
Note: When the Luna Backup HSM contains backup data, and has therefore taken on the authentication characteristics of either a Password-authenticated or a PED authenticated HSM, it cannot restore to the other type. This is a security feature. PED-authenticated-to-Password-authenticated is prevented, because keys and objects that were created on a PED-authenticated HSM are more secure, and moving them to a less-secure type of HSM would be considered a breach of security. Password-authenticated-to-PED-authenticated is prevented because anyone seeing keys and objects on a PED-authenticated HSM is entitled to assume that those keys and objects have always had that level of security throughout their existence.