Home >

LunaSH Command Reference Guide > LunaSH Commands > partition > partition backup

partition backup

Backup a legacy application partition contents to a locally connected backup HSM. This command copies the contents of a named Partition to a partition on a Backup HSM.

Note:  If you wish to back up to a Backup HSM located remotely from the Network HSM appliance, then perform that action from a lunacm session on the Remote Backup HSM's host computer where the source partition and the partition on the receiving Backup HSM appear as numbered PKCS#11 slots.

If you wish to backup to a Small Form Factor device, use the partition sff commands instead.

For locally connected backup, the user is prompted to verify if this destructive command should continue (in case the token has any data on it).

The backup token is initialized to the same access control level as the HSM Partition being backed up.

This command requires the HSM's domain (string or PED Key) and the HSM Partition's Owner password (or PED Key and Partition password). If you chose MofN (values for N and for M greater than 1) at partition creation time, then quantity M of the black key are needed.

Because this is a destructive command (it initializes the backup token) , the user is given the option to proceed/quit before continuing. The SafeNet appliance admin may wish to use the token show command to see the label of a token before issuing this destructive command.

Password-authenticated HSMs

If the passwords and domain aren't provided via the command line, the user is interactively prompted for them. User input is echoed as asterisks. The user is asked to confirm new token Admin and user passwords (if needed).

PED-authenticated HSMs

SafeNet Network HSM with Trusted Path Authentication backup tokens do not use text Partition Passwords in addition to PED Keys – they require only the PED Keys. Also, the passwords and blue/black PED Keys used for the backup token need not be the same as those used with the HSM.

Syntax

partition backup -partition <name> -tokenPar <name> -serial <serialnum> [-password <password>] [-tokenSOPwd <password>] [-tokenPw <password>] [-domain <domain>] [-defaultdomain] [-add] [-replace] [-force]

Option Shortcut Parameter Description
-add -a .

Add objects to the named backup HSM partition. Incremental backup (append). If any of the source objects already exist on the target partition, they are not duplicated, and they are not overwritten. The system flags an error and continues to the next object.

This parameter is mandatory for pre-existing target partitions, if -replace is not specified.

Note: This parameter is not needed if the target partition did not already exist and is being created by the partition backup command. If the target partition exists, then there is no default - you must specify whether to add/append to whatever exists on the partition, or overwrite it.

-defaultdomain -de . Use the default domain string. Deprecated. This is retained only for benefit of customers who have previously used the default domain, and are constrained to continue using it, until they create new objects on an HSM with a proper domain. For security reasons, avoid this option.
-domain -do <domain>

Specifies the text domain string that was used when creating the partition. This parameter is optional on password-authenticated HSMs. It is ignored on PED-authenticated HSMs. See the notes, below, for more information.

Note 1: For SafeNet HSMs with Trusted Path Authentication, the red PED Key used for initializing the partition on the source HSM must be used for the backup HSM, as well. Ensure that a new domain is not created on the PED Key by answering NO to the SafeNet PED question “Do you wish to create a new domain?”.

Note 2: When you call for a cloning operation (such as backup or restore), the source HSM transfers a single object, encrypted with the source domain. The target HSM then decrypts and verifies the received blob.

If the verification is successful, the object is stored at its destination – the domains are a match. If the verification fails, then the blob is discarded and the target HSM reports the failure. Most likely the domain string or the domain PED Key, that you used when creating the target partition, did not match the domain of the source HSM partition. The source HSM moves to the next item in the object list and attempts to clone again, until the end of the list is reached.

This means that if you issue a backup command for a source partition containing several objects, but have a mismatch of domains between your source HSM partition and the backup HSM partition, then you will see a separate error message for every object on the source partition as it individually fails verification at the target HSM.

Note 3: If you do not specify a domain in the command line when creating a partition (partition create command), then you are prompted for it.

The character string that you type at the prompt becomes the domain for the partition.

When you run the partition backup command, you are again prompted for a domain for the target partition on the backup HSM. You can specify a string at the command line, or omit the parameter at the command line and specify a string when prompted. The domain that you apply to a backup HSM must match the domain on your source HSM partition.

-force -f . Force the action without prompting.
-partition -par <partition name> The name of the HSM partition from which all data/key objects are backed up. Obtain the HSM partition name by using the partition list command.
-password -pas <partition password>

The application partition Crypto Officer's text password to be used for login. If you do not supply this value on the command line, you are prompted for it.

This parameter is mandatory for password-authenticated HSMs. It is ignored for PED-authenticated HSMs.

-replace -r .

Clone objects to the target partition, overwriting whatever might already exist there. This parameter is mandatory for pre-existing target partitions, if -add is not specified.

Note: This parameter is not needed if the target partition did not already exist and is being created by the partition backup command. If the target partition exists, then there is no default - you must specify whether to add/append to whatever exists on the partition, or overwrite it.

-serial -s <serial number> Specifies the backup token serial number.
-tokenPar -tokenpa <backup partition name>

This is the name of the partition on the backup HSM, to which the backup objects are to be cloned. If a partition exists on the backup HSM with the name that you provide, here, that partition is selected. If no partition exists with the supplied label, then one is created.

Note: Do not begin your partition label with a numeral. This can later be misinterpreted by some commands as a slot number, rather than a text label, resulting in failure of the command.

-tokenPw -tokenpw <backup partition password>

The token user password . This is the equivalent of Crypto Officer password for the backup partition on the Backup HSM.

This parameter is mandatory for password-authenticated HSMs. It is ignored for PED-authenticated HSMs.

-tokenSOPwd -tokenS <backup HSM SO password> Token Admin (or Security Officer) password. This is the password to be used as login credential for the
Backup HSM's security officer. The token SO password need not be the same password or PED Key as used for the source HSM Admin.

Example

lunash:> partition backup -partition j1 -password userpin
 
CAUTION:  Are you sure you wish to initialize the backup
HSM named:
backuphsm
Type 'proceed' to continue, or 'quit' to quit now.
> proceed
 
Luna PED operation required to initialize backup token - use blue PED Key.
Luna PED operation required to login to backup token - use blue PED Key.
Luna PED operation required to generate cloning domain on backup token - use red PED Key.
Luna PED operation required to generate partition backup space - use black PED Key.
Luna PED operation required to login to partition backup space - use black PED Key.
Luna PED operation required to login to partition - use black PED Key.
Key handle 10 cloned from source to target.
Key handle 11 cloned from source to target.
'partition backup' successful.