|
Home > |
|---|
The small form factor (SFF) backup feature is available for PED-authenticated SafeNet HSMs only.
Note: A SafeNet PED is required for SFF backup. A SafeNet PED with Remote capability is recommended for SFF backups. See the Customer Release Notes for more information.
Small form factor backup is mediated by SafeNet PED and uses SafeNet eToken 7300 USB devices as the repository for archived cryptographic objects.
•The eToken 7300 is Common Criteria validated and tamper-evident.
•SFF backup is supported for SafeNet Network HSM, SafeNet PCIe HSM, and SafeNet USB HSM.
•One eToken 7300 can back up one HSM partition.
•Backup and restore can be performed to or from an eToken 7300 inserted into a locally-connected or remotely-connected SafeNet PED (via PedServer).
•A capability update file (CUF) must be purchased and applied to each HSM (serial number specific) that is to use the SFF Backup feature.
Note: Using SFF backup imposes some constraints, and affects other features like HA. See Cloning and SFF Backup Option Use Cases for more detailed information.
SFF backup requires:
•SafeNet Software version 5.4.0 or newer
•HSM firmware version 6.21.0 or newer
•A SafeNet PED with firmware version 2.6.0-6 or newer. A remote PED is recommended.
•Source SafeNet HSM must be cloning type, only - not applicable to Key Export (KE) HSMs
•Backup to a remotely located SFF backup requires a remote PED - a local-only PED is not field-upgradable to remote capability
•HSM must have the SFF backup capability update applied (this is a purchased option)
CAUTION: The SFF backup capability update is a destructive change to your HSM, meaning that the upgrade enforces HSM initialization and all contents will be lost. Back up any important keys or objects before the upgrade. You can recreate your partition(s) and restore your objects after the HSM has been re-initialized, following the application of the SFF backup capability upgrade.
Small Form-Factor Backup requires that the SafeNet configuration file crystoki.ini (Windows) or Chrystoki.conf (Linux/UNIX) must have two specific settings:
•CommandTimeOutPedSet = 720000
•PEDTimeout2 = 200000
Newly installed/created SafeNet HSM client configuration files have the necessary entries, with the correct values, but pre-existing clients might be missing an entry or might have an insufficient value assigned.
On Linux clients the Chrystoki.conf file is saved upon SafeNet HSM client un-installation, and re-used on later installation. Manually run the following commands if needed:
1.If CommandTimeOutPedSet is missing in the Luna section run this command to add it:
/usr/safenet/lunaclient/bin/configurator setValue -s Luna -e CommandTimeOutPedSet -v 720000
2.If PedTimeout2 value is smaller than 200000 run this command:
/usr/safenet/lunaclient/bin/configurator setValue -s Luna -e PEDTimeout2 -v 200000
On Windows clients, already having crystoki.ini, any new entry provided by the newer release of the SafeNet HSM client is added to the file. But existing entry values are not modified. Manually edit the crystoki.ini file and modify the needed entries as follows:
1.Set CommandTimeOutPedSet to 720000
2.Set PEDTimeout to 200000.
If you have concerns about the physical security of your HSMs, and wish to ensure that sensitive application partition contents cannot be backed-up onto a very portable, concealable SFF token, then simply do not purchase or apply a Small Form-Factor capability update for that HSM.
If the SFF Capability Update has been installed, and for any reason you wish to disable the ability to backup HSM content, or application partition objects, to a Small Form-Factor device, you must disable HSM Policy 38.
WARNING! Disabling SFF is HSM-wide and is destructive, meaning that HSM contents and partitions are lost. Re-initialization is required, and lost objects must be re-created or must be restored from a SafeNet Backup HSM or by synchronization in an HA group.
1.Enter the following command. You must be logged in as the HSM SO.
lunacm:>hsm changehsmpolicy -policy 38 -value 0