Home >

Administration Guide > Backup and Restore HSMs and Partitions > Backup and Restore From the Client to a Local Backup HSM (LunaCM)

Backup and Restore From the Client to a Client-Local Backup HSM (LunaCM)

This section describes how to use LunaCM to backup and restore a partition from the client to a SafeNet Backup HSM (Backup HSM) that is connected to the client workstation. To perform a local backup, you connect the SafeNet Backup HSM to a USB port on the SafeNet HSM client workstation and use LunaCM to log in as the Crypto Officer (CO) and backup any SafeNet Network HSM or SafeNet PCIe HSM partitions that are visible as slots.

Scenario

The usual scenario for the setup described in this section is that you have

SafeNet Network HSM appliances in a datacenter,

Application clients elsewhere (not relevant to the Backup/Restore)

A management workstation in an office, running LunaClient software, with

a Backup HSM connected locally via USB  and visible as a slot in lunacm

the remote Network HSM connected via NTLS and with one-or-more application partitions visible as slots in lunacm (at the management workstation)

a Remote PED connected to the workstation, to serve PED operations to both the distant application partitions (on the Network HSM) and to the Backup HSM

The backup operation can proceed from a source partition (on a SafeNet Network HSM) to an existing partition on the Backup HSM, or if one does not exist, a new partition can be created during the backup.

The restore operation, however, cannot create a target partition on a SafeNet Network HSM; it must already exist.

You can restore a partition backup to the source HSM or to a different SafeNet Network HSM. The HSM you restore to must already have a suitable partition created for the restored objects. The partition can have any name - it does not need to match the name of the source partition on the backup HSM.

You can connect the Backup HSM to a SafeNet HSM client workstation to backup any SafeNet Network HSM or SafeNet PCIe HSM partitions that are visible as slots in LunaCM, as illustrated in the following figure:

Figure 1: Configuration for SafeNet Network HSM/PCIe partition backup/restore using a Backup HSM connected to a local client workstation

In this configuration, you connect the Backup HSM and SafeNet Remote PED, via USB, to your SafeNet HSM client workstation. The SafeNet Network HSM appliance is remote to the SafeNet HSM client workstation and is connected using NTLS. Any installed PCIe devices communicate with the SafeNet HSM client over the PCI bus.

Note:  In this situation, the Backup HSM is directly USB-attached to the Client workstation where lunacm recognizes your source HSM partition(s) as registered or discovered slots, and the Backup HSM as a discovered slot. RBS is not needed in this situation.

Any partitions you want to backup must be registered with, or discovered by, the SafeNet HSM client workstation, and be visible as slots in LunaCM. The Backup HSM most also be visible as a slot.

If you are backing up PED-authenticated partitions, you require a PED. If you want to backup SafeNet Network HSM partitions, the PED must have remote capability (Remote PED). Remote PED uses the pedserver/pedclient processes running on the SafeNet HSM client workstation and on the SafeNet Network HSM appliance to provide remote PED services for the network-attached SafeNet Network HSM appliance. The PED provides authentication for all of the attached HSMs (the USB-connected SafeNet Backup HSM, the NTLS-connected SafeNet Network HSM, and the PCI bus-connected SafeNet PCIe HSM). Every slot on the backup must have same domain (red PED key) as the matching slot on the source HSMs.

Private Keys could be lost - procedural awareness issue

If you have Private Key Cloning switched off for the current partition, then the backup operation proceeds, but skips over any private keys, and clones only the permitted objects onto the Backup HSM.

Similarly, if you restore from a token that includes private keys, but the target partition has Private Key Cloning disallowed, then all other objects are recovered to the partition, but the private keys are skipped during the operation.

The default setting allows private key cloning, but you might have changed that to satisfy your security regime. This consequence of such a change in policy is sometimes overlooked.

Backing Up a Partition to a Locally Connected Backup HSM

You can backup any slots you can see on the client workstation. You must log in as the Crypto Officer to the partition you want to backup.

To backup an application partition to a Backup HSM connected to a SafeNet HSM client workstation:

1.Configure the remote PED, as described in Configuring Remote PED.

2.Start the LunaCM utility on the SafeNet HSM client workstation.

C:\Program Files\SafeNet\LunaClient>lunacm.exe

LunaCM V6.3.0 - Copyright (c) 2006-2017 Gemalto, Inc.

        Available HSM's:

        Slot Id ->              1
        HSM Label ->            SA52_P1
        HSM Serial Number ->    500409014
        HSM Model ->            LunaSA
        HSM Firmware Version -> 6.27.0
        HSM Configuration ->    Luna User Partition With SO (PED) Signing With Cloning Mode
        HSM Status ->           OK
     
        Slot Id ->              2
        HSM Label ->            BackupHSM Serial Number ->    700101
        HSM Model ->            G5Backup
        HSM Firmware Version -> 6.27.0
        HSM Configuration ->    Remote Backup HSM (PED) Backup Device
        HSM Status ->           OK

        Current Slot Id: 1

 

3.Use the slot set command to go to the slot you want to back up:

lunacm:> slot set slot 1

        Current Slot Id: 1     (Luna User Slot 6.27.0 (PED) Signing With Cloning Mode)

Command Result : No Error

 

4.Establish that the HSM is listening for a SafeNet Remote PED:

lunacm:>ped get

        HSM slot 1 listening to local PED (PED id=0).

Command Result : No Error

lunacm:> ped connect ip 192.20.10.190

Command Result : No Error

lunacm:> ped get

        HSM slot 1 listening to remote PED (PED id=100).

Command Result : No Error
   

The SafeNet Network HSM is now listening for PED interaction via the link between PedClient on the SafeNet Network HSM appliance and PedServer on the workstation, and is not expecting a PED connected directly at the location of the SafeNet Network HSM.

5.Log in as the Crypto Officer (CO) to the partition in the current slot. This is the partition that you want to back up:

lunacm:> role login -name Crypto Officer

        Option -password was not supplied.  It is required.

        Enter the password: *******

        User is activated, PED is not required.

Command Result : No Error
 

6.Disconnect the PED from your source HSM (slot 1 in this example), and connect to the Backup HSM (slot 2 in this example). The PED remains physically connected by USB cable to the SafeNet HSM client workstation, and remains in Remote mode - you are merely changing slots that are in conversation with that PED.

a.First, tell the SafeNet Network HSM to disconnect from Remote PED with the command ped disconnect.

b.Tell the Backup HSM to connect to Remote PED (it makes no difference that the PED and the Remote Backup HSM are USB-connected to the same workstation/laptop; when use of Remote PED is invoked by command ped connect and verified by ped get, all HSM-PED interaction takes place between PedClient running on that workstation and PedServer, also running on that workstation).

lunacm:> ped connect ip 192.20.10.189 -slot 2

Command Result : No Error

lunacm:> ped get -slot 2

        HSM slot 2 listening to remote PED (PED id=100).

Command Result : No Error

7.Use the partition archive backup command to perform the backup from the current slot (slot 1 in the example, see above) to the partition that you designate on the Backup HSM. Now that the Backup HSM is listening correctly for a PED, the target partition can be created, with PED action for the authentication.

lunacm:> partition archive backup -slot 2 -par SAbck1

        Logging in as the SO on slot 2.
        Please attend to the PED.

        Creating partition SAbck1 on slot 2.
        Please attend to the PED.

        Logging into the container SAbck1 on slot 2 as the user.
        Please attend to the PED.

        Creating Domain for the partition SAbck1 on slot 2.
        Please attend to the PED.

        Verifying that all objects can be backed up...
        85 objects will be backed up.

        Backing up objects...
        Cloned object 99 to partition SAbck1 (new handle 19).
        Cloned object 33 to partition SAbck1 (new handle 20).
        Cloned object 108 to partition SAbck1 (new handle 23).
        Cloned object 134 to partition SAbck1 (new handle 24).
        Cloned object 83 to partition SAbck1 (new handle 25).
        Cloned object 117 to partition SAbck1 (new handle 26).
        Cloned object 126 to partition SAbck1 (new handle 27).
        Cloned object 65 to partition SAbck1 (new handle 28).
        Cloned object 140 to partition SAbck1 (new handle 29).
        Cloned object 131 to partition SAbck1 (new handle 30).
        Cloned object 94 to partition SAbck1 (new handle 31).
        Cloned object 109 to partition SAbck1 (new handle 35).
        Cloned object 66 to partition SAbck1 (new handle 36).
        Cloned object 123 to partition SAbck1 (new handle 39).
        Cloned object 74 to partition SAbck1 (new handle 40).
        Cloned object 50 to partition SAbck1 (new handle 44).
        Cloned object 43 to partition SAbck1 (new handle 45).
        Cloned object 52 to partition SAbck1 (new handle 46).
        Cloned object 124 to partition SAbck1 (new handle 47).
        Cloned object 115 to partition SAbck1 (new handle 48).
        
        Backup Complete.

        20 objects have been backed up to partition SAbck1
        on slot 2.

Command Result : No Error
 

8.Backup is complete, and can be verified if you like.

Restoring a Partition from a Locally Connected Backup HSM

You can restore a backup to any slot you can see on the client workstation. You must log in as the Crypto Officer to the partition you want to restore to.

To restore an application partition from a Backup HSM connected to a SafeNet HSM client workstation:

1.Create a target partition for the restore operation on the HSM you are restoring to, if it does not already exist, and register the partition with the SafeNet HSM client workstation so that it is visible as a slot in LunaCM.

2.Start the LunaCM utility on the SafeNet HSM client workstation.

LunaCM v7.0.0. Copyright (c) 2006-2017 SafeNet.
 
        Available HSMs:
 
        Slot Id ->              0
        Label ->                par1
        Serial Number ->        154438865288
        Model ->                LunaSA 6.0.0
        Firmware Version ->     6.27.0
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     Net Token Slot
 
        Slot Id ->              21
        Label ->                lunabackup
        Serial Number ->        496771
        Model ->                G5Backup
        Firmware Version ->     6.27.0
        HSM Configuration ->    Remote Backup HSM (PED) Backup Device
        HSM Status ->           OK
 
 
        Current Slot Id: 0
 

3.Use the slot set command to go to the slot you want to restore to.

lunacm:> slot set slot 0
 
        Current Slot Id: 0     (Luna User Slot 6.27.0 (PED) Signing With Cloning Mode)
 
Command Result : No Error
 

4.Open a remote PED session to the SafeNet Network HSM you are restoring to:

lunacm:> ped connect ip 192.20.10.190
 
Command Result : No Error
 
lunacm:> ped get
 
        HSM slot 1 listening to remote PED (PED id=100).
 
Command Result : No Error
 

The SafeNet Network HSM is now listening for PED interaction via the link between PEDclient on the SafeNet Network HSM appliance and PEDserver on the workstation, and is not expecting a PED connected directly at the location of the SafeNet Network HSM.

5.Log into the partition in the current slot. This is the partition that you want to restore to.

lunacm:> role login -name Crypto Officer
 
        Option -password was not supplied.  It is required.
 
        Enter the password: *******
 
        User is activated, PED is not required.
 
Command Result : No Error
 

6.Use the partition archive restore command restore the partition from the Backup HSM to the current slot, adding to, or replacing, the current partition contents:

partition archive restore -slot <backup-hsm-slotnumber> -partition LunaSAPartitionname -password ClientPassword -replace

Note:  In the command above, you can use -add instead of -replace. Adding might result in unwanted behaviors, such as having two keys with the same label, if one existed in the HSM Partition and one on the backup token. The two would be assigned different handles, however.