|
Home > |
|---|
The small form factor (SFF) backup feature is available for PED-authenticated or password-authenticated Luna HSMs.
Note: A remote PED is recommended for SFF backups. See the Customer Release Notes for more information.
Small form factor backup is mediated by Luna PED and uses SafeNet eToken 7300 USB devices as the repository for archived cryptographic objects.
•The eToken 7300 is Common Criteria validated and tamper-evident.
•SFF backup is supported for Luna SA and Luna PCI-E. Small Form-Factor Backup is not supported for Luna G5 (no capability update file is available). To back up a Luna G5 HSM, clone the contents to another Luna G5.)
•One eToken 7300 can back up one HSM partition.
•Backup and restore can be performed to or from an eToken 7300 inserted into a locally-connected or remotely-connected Luna PED (via PedServer).
•A capability update file (CUF) must be purchased and applied to each HSM (serial number specific) that is to use the SFF Backup feature.
Note: Using SFF backup imposes some constraints, and affects other features like HA. See "Cloning and SFF Backup Option Use Cases" for more detailed information.
SFF backup requires:
•Luna Software version 5.4.0 or newer
•HSM firmware version 6.21.0 or newer
•A Luna PED with firmware version 2.6.0-6 or newer. A remote PED is recommended.
•Source Luna HSM must be cloning type, only - not applicable to Key Export (KE) HSMs
•Backup to a remotely located SFF backup requires a remote PED - a local-only PED is not field-upgradable to remote capability
•HSM must have the SFF backup capability update applied (this is a purchased option)
CAUTION: The SFF backup capability update is a destructive change to your HSM, meaning that the upgrade enforces HSM initialization and all contents will be lost. Back up any important keys or objects before the upgrade. You can recreate your partition(s) and restore your objects after the HSM has been re-initialized, following the application of the SFF backup capability upgrade.
Luna Small Form-Factor Backup requires that the Luna configuration file crystoki.ini (Windows) or Chrystoki.conf (Linux/UNIX) must have two specific settings:
•CommandTimeOutPedSet = 720000
•PEDTimeout2 = 200000
Newly installed/created Luna client configuration files have the necessary entries, with the correct values, but pre-existing clients might be missing an entry or might have an insufficient value assigned.
On Linux clients the Chrystoki.conf file is saved upon Luna client un-installation, and re-used on later installation. Manually run the following commands if needed:
1.If CommandTimeOutPedSet is missing in the Luna section run this command to add it:
/usr/safenet/lunaclient/bin/configurator setValue -s Luna -e CommandTimeOutPedSet -v 720000
2.If PedTimeout2 value is smaller than 200000 run this command:
/usr/safenet/lunaclient/bin/configurator setValue -s Luna -e PEDTimeout2 -v 200000
On Windows clients, already having crystoki.ini, any new entry provided by the newer release of the Luna client is added to the file. But existing entry values are not modified. Manually edit the crystoki.ini file and modify the needed entries as follows:
1.Set CommandTimeOutPedSet to 720000
2.Set PEDTimeout to 200000.
If you have concerns about the physical security of your HSMs, and wish to ensure that sensitive application partition contents cannot be backed-up onto a very portable, concealable SFF token, then simply do not purchase or apply a Small Form-Factor capability update for that HSM.
If the SFF Capability Update has been installed, and for any reason you wish to disable the ability to backup HSM content, or application partition objects, to a Small Form-Factor device, you must disable HSM Policy 38.
WARNING! Disabling SFF is HSM-wide and is destructive, meaning that HSM contents and partitions are lost. Re-initialization is required, and lost objects must be re-created or must be restored from a Luna Backup HSM or by synchronization in an HA group.
1.Enter the following command. You must be logged in as the HSM SO.
lunacm:>hsm changehsmpolicy -policy 38 -value 0