|
Home > |
Administration Guide > Backup and Restore HSMs and Partitions > Backup and Restore From the Appliance to a Local Backup HSM (LunaSH)
|
|---|
This section describes how to use LunaSH to backup and restore a partition on the appliance to a locally connected SafeNet Backup HSM (Backup HSM). To perform a local backup, you connect the SafeNet Backup HSM to a USB port on the SafeNet Network HSM appliance and use LunaSH to log in as the Crypto Officer (CO) to the HSM partitions that you want to backup.
The backup operation can go from a source partition (on a SafeNet Network HSM) to an existing partition on the Backup HSM, or if one does not exist, a new partition can be created during the backup. The restore operation, however, cannot create a target partition on a SafeNet Network HSM; it must already exist.
You can restore a partition backup to the source HSM or to a different SafeNet Network HSM. The HSM you restore to must already have a suitable partition created for the restored objects. The partition can have any name - it does not need to match the name of the source partition on the backup HSM.
In this scenario, your Network HSM would likely contain rarely-changed, static crypto objects that would could usefully be backed-up in-person when first deployed, and not on a frequent basis. (Otherwise, for frequent backup operations, choose a Remote Backup scenario, so as not to require physical presence in the datacenter.) The usual scenario for the setup described in this section is that you have all the relevant equipment co-located
•SafeNet Network HSM appliances in a datacenter,
•A terminal
–running SSH and network-connected to the Network HSM appliance, or
–running serial-terminal software and serially connected to the Network HSM
•a Backup HSM connected locally via USB to the Network HSM
•a PED for the Network HSM and a PED for the Backup HSM (for PED-auth)
You can connect the Backup HSM directly to the SafeNet Network HSM appliance to backup some or all of the individual partitions it contains, controlled by LunaSH commands. You require the Partition Crypto Officer (CO) credentials for each partition you want to backup.
Note: You cannot use this method to backup partitions configured to use STC (see Secure Trusted Channel (STC)). To backup a partition configured to use STC, you must use LunaCM, as described in Backup and Restore From the Client to a Client-Local Backup HSM (LunaCM).
To perform a backup/restore with all equipment co-located, you open an SSH or serial connection from your workstation to the appliance, and use LunaSH to perform a backup to the Backup HSM connected to the appliance, as illustrated in the following figure:
Figure 1: Partition backup/restore using a Backup HSM connected directly to the appliance
Note: This is not a Remote Backup situation, so RBS is not required.
The workstation is simply a display terminal for LunaSH running on the appliance. It requires an SSH client (ssh on Linux, PuTTY on Windows). It does not require the SafeNet HSM client software.
Note: Use of older PuTTY versions, and related tools, can result in the appliance refusing to accept a connection. This can happen if a security update imposes restrictions on connections with older versions. To ensure compatibility, always use the versions of executable files included with the current client installer.
The PEDs are required only if the SafeNet Network HSM is PED-authenticated. The appropriate SO (blue), partition (black) and domain (red) PED keys are required. The Backup HSM and SafeNet Network HSM must share the same domain (red) PED key value.
Although two PEDs are recommended (one connected to the SafeNet Network HSM and one connected to the Backup HSM) you can use a single PED, if desired. If using a single PED, note that you can connect the PED to only one HSM at a time. You will need to disconnect it from the source (SafeNet Network HSM) HSM and connect to the target (SafeNet Backup HSM) when PED operations are needed at those HSMs respectively.
If you have Private Key Cloning switched off for the current partition, then the backup operation proceeds, but skips over any private keys, and clones only the permitted objects onto the Backup HSM.
Similarly, if you restore from a token that includes private keys, but the target partition has Private Key Cloning disallowed, then all other objects are recovered to the partition, but the private keys are skipped during the operation.
The default setting allows private key cloning, but you might have changed that to satisfy your security regime. This consequence of such a change in policy is sometimes overlooked.
You can backup any partitions you can log in to as the Crypto Officer.
1.Connect all the required components and open a terminal session to the SafeNet Network HSM appliance. See the following topics for details:
–Open a Connection in the Configuration Guide
–Backup HSM Installation, Storage, and Maintenance
Connect your PED directly to the HSM, and set it to Local PED-USB mode. (For legacy PED-HSM connections via MDSM cable, set your PED to Local PED-SCP mode.) See How to Use a SafeNet PED for instructions on changing modes on the Luna PED
2.Open a LunaSH session on the SafeNet Network HSM appliance.
login as: admin
admin@192.20.10.202's password:
Last login: Tue Dec 30 16:03:46 2014 from 192.16.153.111
SafeNet Network HSM 7.0 Command Line Shell - Copyright (c) 2001-2017 Gemalto, Inc. All rights reserved.
[myluna] lunash:>
3.Use the token backup list and token backup show commands to determine the serial number of the Backup HSM and to verify its partition and storage configuration:
lunash:>token backup list
Token Details:
============
Token Label: BackupHSM
Slot: 6
Serial #: 7000179
Firmware: 6.26.0
Hardware Model: G5 Backup
Command Result : 0 (Success)
lunash:> token backup show -serial 700179
Token Details:
============
Token Label: BackupHSM
Serial #: 700179
Firmware: 6.22.0
Hardware Model: SafeNet USB HSM
Authentication Method: PED keys
Token Admin login status: Logged In
Token Admin login attempts left: 3 before Token zeroization!
Partition Information:
======================
Partitions licensed on token: 20
Partitions created on token: 0
----------------------
There are no partitions.
Token Storage Information:
==========================
Maximum Token Storage Space (Bytes): 16252928
Space In Use (Bytes): 0
Free Space Left (Bytes): 16252928
License Information:
====================
621010355-000 621-010355-000 G5 Backup Device Base
621000005-001 621-000005-001 Backup Device Partitions 20
621000006-001 621-000006-001 Backup Device Storage 15.5 MB
621000007-001 621-000007-001 Backup Device Store MTK Split Externally
621000008-001 621-000008-001 Backup Device Remote Ped Enable
Command result : 0 (Success)
4.Use the partition backup command to backup a specified partition and provide the PED keys as prompted, for example:
[myluna] lunash:>par backup -s 7000179 -par p1 -tokenPar bck1
Type 'proceed' to continue the backup, or 'quit'
to abort this operation.
> proceed
Please enter the password for the HSM partition:
> *******
Warning: You will need to attach Luna PED to the SafeNet Backup HSM
to complete this operation.
You may use the same Luna PED that you used for SafeNet Network HSM.
Please hit <enter> when you are ready to proceed.
Luna PED operation required to login to token - use token Security Officer (blue) PED key.
Luna PED operation required to create a partition - use User or Partition Owner (black) PED key.
Luna PED operation required to login to user on token - use User or Partition Owner (black) PED key.
Luna PED operation required to generate cloning domain on the partition - use Domain (red) PED key.
Object "1-User DES Key1" (handle 17) cloned to handle 11 on target
Object "1-User DES Key2" (handle 18) cloned to handle 12 on target
Object "1-User Public RSA Key1-512" (handle 19) cloned to handle 13 on target
..
.
Object "1-User ARIA Key3" (handle 124) cloned to handle 118 on target
Object "1-User ARIA Key4" (handle 125) cloned to handle 119 on target
Object "1-User ARIA Key5" (handle 126) cloned to handle 120 on target
'partition backup' successful.
Command Result : 0 (Success)
5.Use the token backup show command to verify the backup:
lunash:> token backup show -serial 667788
Token Details:
============
Token Label: BackupHSM
Serial #: 700179
Firmware: 6.26.0
HSM Model: G5Backup
Authentication Method: PED keys
Token Admin login status: Logged In
Token Admin login attempts left: 3 before Token zeroization!
Partition Information:
======================
Partitions licensed on token: 20
Partitions created on token: 1
----------------------
Partition: 7000179008, Name: bck1.
Token Storage Information:
==========================
Maximum Token Storage Space (Bytes): 16252928
Space In Use (Bytes): 43616
Free Space Left (Bytes): 16209312
License Information:
====================
621010355-000 621-010355-000 G5 Backup Device Base
621000005-001 621-000005-001 Backup Device Partitions 20
621000006-001 621-000006-001 Backup Device Storage 15.5 MB
621000007-001 621-000007-001 Backup Device Store MTK Split Externally
621000008-001 621-000008-001 Backup Device Remote PED Enable
Command result : 0 (Success)
You can backup any partitions you can log in to as the Crypto Officer.
To restore the partition contents from the SafeNet Remote Backup Device to the same local SafeNet Network HSM, use the same setup described above, but use the partition backup restore command instead.
1.Connect all the required components and open a terminal session to the SafeNet Network HSM appliance. See the following topics for details:
–Open a Connection in the Installation and Configuration Guide
–Backup HSM Installation, Storage, and Maintenance
Connect your PED directly to the HSM, and set it to Local PED-USB mode. (For legacy PED-HSM connections via MDSM cable, set your PED to Local PED-SCP mode.) See "Changing Modes" on page 1 for instructions on changing modes on the Luna PED.
2.Open a LunaSH session on the SafeNet Network HSM appliance.
login as: admin
admin@192.20.10.202's password:
Last login: Tue Feb 28 16:03:46 2012 from 192.16.153.111
SafeNet Network HSM 7.0 Command Line Shell - Copyright (c) 2001-2016 Gemalto, Inc. All rights reserved.
[myluna] lunash:>
3.Use the partition restore command to restore a partition:
[myluna] lunash:>par restore -s 7000179 -tokenPar bk5 -par p1 -replace
Please enter the password for the HSM partition:
> *******
CAUTION: Are you sure you wish to erase all objects in the
partition named: p1
Type 'proceed' to continue, or 'quit' to quit now.
> proceed
Warning: You will need to attach Luna PED to the SafeNet Backup HSM to complete this operation.
You may use the same Luna PED that you used for SafeNet Network HSM.
Please hit <enter> when you are ready to proceed.
Luna PED operation required to login to user on token - use User or Partition Owner (black) PED key.
Object "1-User DES Key1" (handle 17) cloned to handle 11 on target
Object "1-User DES Key2" (handle 18) cloned to handle 12 on target
Object "1-User Public RSA Key1-512" (handle 19) cloned to handle 13 on target
.
.
.
Object "1-User ARIA Key3" (handle 124) cloned to handle 118 on target
Object "1-User ARIA Key4" (handle 125) cloned to handle 119 on target
Object "1-User ARIA Key5" (handle 126) cloned to handle 120 on target
'partition restore' successful.
Command Result : 0 (Success)