Home >

Administration Guide > Backup and Restore HSMs and Partitions > Restoring HSM Partitions From Legacy Tokens

Restoring HSM Partitions From Legacy Tokens

In order to provide a migration path from earlier SafeNet Network HSM and removable-token format HSMs, it is possible to externally connect a SafeNet DOCK 2 card reader for SafeNet PCM, SafeNet CA4, or SafeNet HSM Backup Token directly to a SafeNet Network HSM appliance. You can then use LunaSH to restore/migrate legacy token and partition contents to the current-generation SafeNet Network HSM.

Keys (objects) from multiple SafeNet CA4 tokens, SafeNet PCM tokens (Key Export Signing, RA), or SafeNet HSM Backup Tokens (such as would be used to backup the contents of SafeNet Network HSM 4.x partitions) with differing cloning domains can be consolidated onto one SafeNet Network HSM 5.x HSM, where objects from every token HSM are restored onto a partition corresponding to each token (segregated by legacy cloning domain).

Alternatively, you could set up an HA group to include the legacy HSM(s) and the target HSM(s), and use the HA synchronization function. This still requires that the target HSM(s) must have their modern cloning domains associated with the legacy domains of the legacy source HSM(s) in the HA group.

Note:  Restore from a legacy backup token is effectively a data migration, and is one-way only. Backups to a token-style HSM is not a supported operation for SafeNet Network HSM 5.x

For detailed key migration procedures, go to the Support portal and search for SafeNet HSM Key Migration instructions.

To restore an HSM partition from a legacy token

1.Connect all the required components and open a terminal session to the SafeNet Network HSM appliance.

2.Open a LunaSH session on the SafeNet Network HSM appliance. 

login as: admin 
admin@192.20.10.202's password: 
Last login: Tue Feb 28 16:03:46 2012 from 192.16.153.111 

SafeNet Network HSM 5.1.0-25 Command Line Shell - Copyright (c) 2001-2011 SafeNet, Inc. All rights reserved.  
[myluna] lunash:>

3.Use the token backup update firmware command to upgrade the firmware on the backup token to the latest version. The firmware is included on the appliance.

4.Create a partition to restore to, if it does not already exist.

5.Use the partition restore command to restore a partition, adding to, or replacing the current partition contents:

[myluna] lunash:>par restore -s 7000179 -tokenPar bk5 -par p1 -replace 
Please enter the password for the HSM partition:   
> ******* 

  CAUTION:  Are you sure you wish to erase all objects in the          
          partition named:              p1            
          Type 'proceed' to continue, or 'quit' to quit now.           
          > proceed   
Warning:  You will need to attach Luna PED to the SafeNet Backup HSM to complete this operation. 
                 You may use the same Luna PED that you used for SafeNet Network HSM.             

Please hit <enter> when you are ready to proceed. 

Luna PED operation required to login to user on token - use User or Partition Owner (black) PED key.
Object "1-User DES Key1" (handle 17) cloned to handle 11 on target  
Object "1-User DES Key2" (handle 18) cloned to handle 12 on target  
Object "1-User Public RSA Key1-512" (handle 19) cloned to handle 13 on target  
.
.
.
Object "1-User ARIA Key3" (handle 124) cloned to handle 118 on target  
Object "1-User ARIA Key4" (handle 125) cloned to handle 119 on target  
Object "1-User ARIA Key5" (handle 126) cloned to handle 120 on target  
'partition restore' successful.

Command Result : 0 (Success)
[myluna] lunash:>  

SafeNet PCI-E HSM 6.2 Product Documentation
007-011329-009 Rev. A 18 December 2015 Copyright 2015 Gemalto NV All rights reserved.