|
Home > |
|---|
The SafeNet Backup HSM is physically similar to the SafeNet USB HSM, but is used exclusively to securely backup sensitive material from SafeNet HSMs, and to restore backed-up material to SafeNet HSMs. Some important characteristics are:
•The SafeNet Backup HSM can be connected locally, by USB cable, to the primary HSM, or it can be connected to a server and used to backup from, and restore to, remotely located primary HSMs.
•The SafeNet Backup HSM takes on the authentication type of the primary HSM with which it is paired for backup - so it becomes a Password-authenticated Backup HSM (sometimes called the FIPS 140-2 level 2 version) when backing up a Password-authenticated primary HSM, and the same SafeNet Backup HSM becomes a PED-authenticated Backup HSM (sometimes called the FIPS 140-2 level 3 version) when backing up a PED-authenticated primary HSM.
•The SafeNet Backup HSM performs backup and restore operations only; it is not capable of cryptographic operations, and cannot (for example) be substituted for a SafeNet USB HSM.
Note: When the SafeNet Backup HSM contains backup data, and has therefore taken on the authentication characteristics of either a Password-authenticated or a PED authenticated HSM, it cannot restore to the other type. This is a security feature. PED-authenticated-to-Password-authenticated is prevented, because keys and objects that were created on a PED-authenticated HSM are more secure, and moving them to a less-secure type of HSM would be considered a breach of security. Password-authenticated-to-PED-authenticated is prevented because anyone seeing keys and objects on a PED-authenticated HSM is entitled to assume that those keys and objects have always had that level of security throughout their existence.