|
Home > |
HSM Administration Guide > Backup and Restore HSMs and Partitions > Backup and Restore From the Appliance to a Local Backup HSM (LunaSH)
|
|---|
This section describes how to use LunaSH to backup and restore a partition on the appliance to a locally connected SafeNet Luna Backup HSM (Backup HSM). To perform a local backup, you connect the SafeNet Luna Backup HSM to a USB port on the SafeNet Luna Network HSM appliance and use LunaSH to log in as the Crypto Officer (CO) to the HSM partitions that you want to backup.
The backup operation can go from a source partition (on a SafeNet Luna Network HSM) to an existing partition on the Backup HSM, or if one does not exist, a new partition can be created during the backup. The restore operation, however, cannot create a target partition on a SafeNet Luna Network HSM; it must already exist.
You can restore a partition backup to the source HSM or to a different SafeNet Luna Network HSM. The HSM you restore to must already have a suitable partition created for the restored objects. The partition can have any name - it does not need to match the name of the source partition on the backup HSM.
You can connect the Backup HSM directly to the SafeNet Luna Network HSM appliance to backup some or all of the individual partitions it contains, using LunaSH. You require the Partition Crypto Officer (CO) credentials for each partition you want to backup.
Note: You cannot use this method to backup partitions configured to use STC (see Secure Trusted Channel (STC)). To backup a partition configured to use STC, you must use LunaCM, as described in Backup and Restore From the Appliance to a Local Backup HSM (LunaSH).
To perform a backup/restore, you open an SSH or serial connection from your workstation to the appliance, and use LunaSH to perform a backup to the Backup HSM connected to the appliance, as illustrated in the following figure:
Figure 1: Partition backup/restore using a Backup HSM connected directly to the appliance
The workstation is simply a display terminal for LunaSH running on the appliance. It requires an SSH client (ssh on Linux, PuTTY on Windows). It does not require the SafeNet Luna HSM client software.
The PEDs are required only if the SafeNet Luna Network HSM is PED-authenticated. The appropriate SO (blue), partition (black) and domain (red) PED keys are required. The Backup HSM and SafeNet Luna Network HSM must share the same domain (red) PED key value.
Although two PEDs are recommended (one connected to the SafeNet Luna Network HSM and one connected to the Backup HSM) you can use a single PED, if desired. If using a single PED, note that you can connect the PED to only one HSM at a time. You will need to disconnect it from the source (SafeNet Luna Network HSM) HSM and connect to the target (SafeNet Luna Backup HSM) when PED operations are needed at those HSMs respectively.
You can backup any partitions you can log in to as the Crypto Officer.
1.Connect all the required components and open a terminal session to the SafeNet Luna Network HSM appliance. See the following topics for details:
–Open a Connection in the Configuration Guide
–Backup HSM Installation, Storage, and Maintenance
Connect your PED directly to the HSM, and set it to Local PED-USB mode. (For legacy PED-HSM connections via MDSM cable, set your PED to Local PED-SCP mode.) See Changing Modes for instructions on changing modes on the Luna PED.
Connect your Backup HSM to any USB port on the appliance.
2.Open a LunaSH session on the SafeNet Luna Network HSM appliance.
login as: admin
admin@192.20.10.202's password:
Last login: Tue Dec 30 16:03:46 2014 from 192.16.153.111
SafeNet Luna Network HSM 7.0 Command Line Shell - Copyright (c) 2001-2017 Gemalto, Inc. All rights reserved.
[myluna] lunash:>
3.Use the token backup list and token backup show commands to determine the serial number of the Backup HSM and to verify its partition and storage configuration:
lunash:>token backup list
Token Details:
============
Token Label: BackupHSM
Slot: 6
Serial #: 7000179
Firmware: 6.26.0
Hardware Model: G5 Backup
Command Result : 0 (Success)
lunash:> token backup show -serial 700179
Token Details:
============
Token Label: BackupHSM
Serial #: 700179
Firmware: 6.22.0
Hardware Model: SafeNet Luna USB HSM
Authentication Method: PED keys
Token Admin login status: Logged In
Token Admin login attempts left: 3 before Token zeroization!
Partition Information:
======================
Partitions licensed on token: 20
Partitions created on token: 0
----------------------
There are no partitions.
Token Storage Information:
==========================
Maximum Token Storage Space (Bytes): 16252928
Space In Use (Bytes): 0
Free Space Left (Bytes): 16252928
License Information:
====================
621010355-000 621-010355-000 G5 Backup Device Base
621000005-001 621-000005-001 Backup Device Partitions 20
621000006-001 621-000006-001 Backup Device Storage 15.5 MB
621000007-001 621-000007-001 Backup Device Store MTK Split Externally
621000008-001 621-000008-001 Backup Device Remote Ped Enable
Command result : 0 (Success)
4.Use the partition backup command to backup a specified partition and provide the PED keys as prompted, for example:
[myluna] lunash:>par backup -s 7000179 -par p1 -tokenPar bck1
Type 'proceed' to continue the backup, or 'quit'
to abort this operation.
> proceed
Please enter the password for the HSM partition:
> *******
Warning: You will need to attach Luna PED to the SafeNet Luna Backup HSM
to complete this operation.
You may use the same Luna PED that you used for SafeNet Luna Network HSM.
Please hit <enter> when you are ready to proceed.
Luna PED operation required to login to token - use token Security Officer (blue) PED key.
Luna PED operation required to create a partition - use User or Partition Owner (black) PED key.
Luna PED operation required to login to user on token - use User or Partition Owner (black) PED key.
Luna PED operation required to generate cloning domain on the partition - use Domain (red) PED key.
Object "1-User DES Key1" (handle 17) cloned to handle 11 on target
Object "1-User DES Key2" (handle 18) cloned to handle 12 on target
Object "1-User Public RSA Key1-512" (handle 19) cloned to handle 13 on target
..
.
Object "1-User ARIA Key3" (handle 124) cloned to handle 118 on target
Object "1-User ARIA Key4" (handle 125) cloned to handle 119 on target
Object "1-User ARIA Key5" (handle 126) cloned to handle 120 on target
'partition backup' successful.
Command Result : 0 (Success)
5.Use the token backup show command to verify the backup:
lunash:> token backup show -serial 667788
Token Details:
============
Token Label: BackupHSM
Serial #: 700179
Firmware: 6.26.0
HSM Model: G5Backup
Authentication Method: PED keys
Token Admin login status: Logged In
Token Admin login attempts left: 3 before Token zeroization!
Partition Information:
======================
Partitions licensed on token: 20
Partitions created on token: 1
----------------------
Partition: 7000179008, Name: bck1.
Token Storage Information:
==========================
Maximum Token Storage Space (Bytes): 16252928
Space In Use (Bytes): 43616
Free Space Left (Bytes): 16209312
License Information:
====================
621010355-000 621-010355-000 G5 Backup Device Base
621000005-001 621-000005-001 Backup Device Partitions 20
621000006-001 621-000006-001 Backup Device Storage 15.5 MB
621000007-001 621-000007-001 Backup Device Store MTK Split Externally
621000008-001 621-000008-001 Backup Device Remote PED Enable
Command result : 0 (Success)
You can backup any partitions you can log in to as the Crypto Officer.
To restore the partition contents from the SafeNet Remote Backup Device to the same local SafeNet Luna Network HSM, use the same setup described above, but use the partition backup restore command instead.
1.Connect all the required components and open a terminal session to the SafeNet Luna Network HSM appliance. See the following topics for details:
–Open a Connection in the Installation and Configuration Guide
–Backup HSM Installation, Storage, and Maintenance
Connect your PED directly to the HSM, and set it to Local PED-USB mode. (For legacy PED-HSM connections via MDSM cable, set your PED to Local PED-SCP mode.) See Changing Modes for instructions on changing modes on the Luna PED.
2.Open a LunaSH session on the SafeNet Luna Network HSM appliance.
login as: admin
admin@192.20.10.202's password:
Last login: Tue Feb 28 16:03:46 2012 from 192.16.153.111
SafeNet Luna Network HSM 7.0 Command Line Shell - Copyright (c) 2001-2016 Gemalto, Inc. All rights reserved.
[myluna] lunash:>
3.Use the partition restore command to restore a partition:
[myluna] lunash:>par restore -s 7000179 -tokenPar bk5 -par p1 -replace
Please enter the password for the HSM partition:
> *******
CAUTION: Are you sure you wish to erase all objects in the
partition named: p1
Type 'proceed' to continue, or 'quit' to quit now.
> proceed
Warning: You will need to attach Luna PED to the SafeNet Luna Backup HSM to complete this operation.
You may use the same Luna PED that you used for SafeNet Luna Network HSM.
Please hit <enter> when you are ready to proceed.
Luna PED operation required to login to user on token - use User or Partition Owner (black) PED key.
Object "1-User DES Key1" (handle 17) cloned to handle 11 on target
Object "1-User DES Key2" (handle 18) cloned to handle 12 on target
Object "1-User Public RSA Key1-512" (handle 19) cloned to handle 13 on target
.
.
.
Object "1-User ARIA Key3" (handle 124) cloned to handle 118 on target
Object "1-User ARIA Key4" (handle 125) cloned to handle 119 on target
Object "1-User ARIA Key5" (handle 126) cloned to handle 120 on target
'partition restore' successful.
Command Result : 0 (Success)