About the SafeNet Luna Backup HSM
This section describes what you can do with the SafeNet Luna Backup HSM (Backup HSM) and outlines the various ways, both local and remote, that you can connect the Backup HSM to perform backup and restore operations. It contains the following topics:
>Functionality of the SafeNet Luna Backup HSM
>Backup and Restore Options and Configurations
NOTE The word "Remote" in the product name merely indicates that the Backup HSM provides remote backup capability. You can use the SafeNet Luna Backup HSM to back up the contents of your HSM to a locally attached Backup HSM, or to a remotely located Backup HSM. The SafeNet Luna Backup HSM is referred to as the Backup HSM in this section.
Functionality of the SafeNet Luna Backup HSM
You can use the SafeNet Luna Backup HSM to backup multiple partitions from one or more SafeNet Luna Network HSMs or SafeNet Luna PCIe HSMs. Partition domain and authentication attributes are maintained when you back up a partition, which impacts how you can use the Backup HSM.
Storage Capacity and Supported Number of Partitions
Backup is performed on a per-partition basis. SafeNet Luna PCIe HSM supports one application partition. The SafeNet Luna Network HSM supports multiple application partitions. The size of a SafeNet Luna Network HSM partition is configurable, but since all partitions share the HSM memory, the more partitions you create, the smaller they must be.
The base configuration for SafeNet Luna Backup HSM is 20 partitions and 15.5 Mb of space, allowing you to backup a SafeNet Luna Network HSM with up to twenty partitions, or any combination of partitions on individual SafeNet Luna Network HSMs, up to the maximum memory available on the Backup HSM. SafeNet Luna Network HSMs can be updated to support up to 100 partitions. You have the option of purchasing and adding capability upgrades for 50 or 100 partitions to SafeNet Luna Network HSM, as well as to the SafeNet Luna Backup HSM.
NOTE The size of the partition header is different for a SafeNet Luna Network HSM partition and its equivalent backup partition stored on a SafeNet Luna Backup HSM. As a result, the value displayed in the Used column in the output of the partition list command (for the backed up SafeNet Luna Network HSM partition) is different than the value displayed in the Used column in the output of the token backup partition list command (for the backup partition on the Backup HSM).
Upgrading the Number of Supported Partitions
When your SafeNet Luna Backup HSM is connected locally to a SafeNet Luna Network HSM appliance, use the upgrade instructions at HSM Capability and Partition Upgrades to apply an upgrade to increase the number of HSM partitions that can be backed up to the device.
Domains and Backups
If the target partition exists on the Backup HSM, then it must already share its partition domain with the source partition.
If the target partition is being created, then it takes the domain of the source partition.
Multiple partitions, with different domains, can exist on a single Backup HSM.
As with backup operations, restore operations can take place only where the source and target partitions have the same domain.
>Full/replace backup or restore creates a new target partition with the same domain as the source partition.
>Partial (additive/incremental) backup or restore requires the existing source and target partitions to have the same domain before the operation can start.
No cross-domain copying (backup or restore) is possible - there is no way to "mix and match" objects from different domains.
PED or Password Authentication
The Backup HSM creates a partition with matching authentication type to the SafeNet Luna Network HSM partition that is being backed up. That does not work in the opposite direction, however. The Backup HSM can restore a partition (or contents of a partition) only to a SafeNet Luna Network HSM of matching authentication type.
You cannot mix partition authentication types on one backup device. That is, if you have a PED-authenticated HSM and a password-authenticated HSM, you require two Backup HSMs in order to have a backup of each HSM's partitions. There is no possibility of backing up data from a higher-security device (Trusted Path, PED-authenticated, FIPS-3) onto a lower-security device (Password protected, FIPS-2). Normally this is not a concern because a given installation is likely to employ all SafeNet Luna Network HSMs of the same authentication type.
However, for HSMs of the same authentication type, you could backup (or restore) partitions from different HSMs onto a single SafeNet Luna Backup HSM, as long as there is sufficient room. Given that the type matches, the authentication (domain) is handled at the partition level.
Backup and Restore Options and Configurations
The SafeNet Luna Backup HSM supports local or remote HSM backup. The options for backup of primary/source SafeNet Luna Network HSMs are:
>Local backup of any SafeNet Luna Network HSM, where all components are co-located. This is a possible scenario with all HSMs, but is more likely with direct-connect, local-to-the-client HSMs such as SafeNet Luna PCIe HSM. It is unlikely for SafeNet Luna Network HSMs, simply because SafeNet Luna Network HSMs normally reside in a server rack, distant from its administrators.
>Local backup of SafeNet Luna Network HSM, where the SafeNet Luna Network HSM is located remotely from a computer that has the SafeNet Luna Backup HSM. This is one of the likely scenarios with the SafeNet Luna Network HSM, but requires that the administrator performing backup must have client authentication access to all SafeNet Luna Network HSM partitions.
>Remote backup of any SafeNet Luna Network HSM, where the SafeNet Luna Network HSM is located remotely from the computer that has the SafeNet Luna Backup HSM. This scenario requires that the administrator of the SafeNet Luna Backup HSM's host computer must connect (via SSH or RDP) to the clients of each HSM partition that is to be backed up. The client performs the backup (or restore) under remote direction.
In local mode, you connect the Backup HSM directly, via USB, to a SafeNet Luna Network HSM appliance or SafeNet Luna PCIe HSM host server. That is, local backup is local to the HSM being backed-up, not necessarily local to the administrator who is directing the process, who might be far away.
For remote backup, you connect the Backup HSM via USB to a computer running vtl and the driver for the device. Backup and restore are then performed over the secure network connection. For PED-authenticated HSMs, you must have a copy of the appropriate red (domain) PED keys to use with the Backup HSM in order to perform the copy/cloning (backup and restore) operation between the HSMs.
Backing Up a Local HSM to a Directly Connected Backup HSM
The simplest way to backup your SafeNet Luna Network HSM is to connect the Backup HSM directly to the SafeNet Luna Network HSM appliance. To perform a backup/restore, you open an SSH or serial connection from your workstation to the appliance, and then launch LunaSH in a terminal session to perform the backup, as illustrated in the following figure:
The workstation is simply a display terminal for LunaSH running on the appliance. It does not require the SafeNet Luna Client software.
The PEDs are required only if the SafeNet Luna Network HSM is PED-authenticated. The appropriate SO (blue), partition (black) and domain (red) PED keys are required.
Backup to a Backup HSM Connected to a Local Client
The following diagram depicts the elements and connections of the local backup (and restore) operation, where everything is in one room.
1 | LunaCM on the client (host) system sees the primary and backup slots and controls the backup/restore operation. |
---|---|
2 | Backup HSM is a slot visible to the client (host) system when it runs LunaCM. |
3 | Working HSMs are slots visible to the client (host) system when it runs LunaCM. |
4 | Every slot on the backup must have same domain (red PED key) as matching slot on the primary HSMs. |
The other two backup and restore options, local backup of a distant SafeNet Luna Network HSM and remote backup of any SafeNet Luna Network HSM require that PED operations be performed remotely. For that reason, HSMs must be prepared (locally) in advance by having orange Remote PED keys created and matched with each HSM.
Backing Up a Remote HSM to a Locally-Connected Backup HSM
The diagram below summarizes the elements and setup for backing up partitions of a remote SafeNet Luna Network HSM to a Backup HSM that is attached to the local host. For this example, the system administrator (admin) for the SafeNet Luna Network HSM appliance is also the person doing the backup. The local host is configured as follows:
>The SafeNet Luna HSM client software with the Remote PED options is installed.
>A Remote Luna PED is connected.
>The SafeNet Luna Backup HSM is connected.
Before performing a backup, the admin must open an SSH session to the SafeNet Luna Network HSM appliance and perform a certificate exchange and registration for each SafeNet Luna Network HSM partition to be backed up to make the local host a client of the partitions.
1 | The admin must have client access to each partition being backed up. In this scenario, the admin must have black PED keys and passwords for the partitions. |
---|---|
2 | The local host is used to control the backup/restore. The SafeNet Luna Network HSM client vtl software is used to generate and trade certificates with SafeNet Luna Network HSM, to create an NTLS link. The Luna PEDServer software running on the local host, in conjunction with the PEDClient software running on the SafeNet Luna Network HSM, provides remote PED access to the SafeNet Luna Network HSM. |
3 | The local host can see the SafeNet Luna Network HSM partitions as slots in LunaCM. The Luna PEDClient software runs on the SafeNet Luna Network HSM when it needs to access the Remote PED via the Luna PEDServer software running on the local host. |
4 | Every slot on the Backup HSM must have same domain (red PED key) as the matching slot on the working HSM. The domain (red) PED keys can be different for each partition or they can share one common domain, re-used for all partitions. The important consideration is that whatever domain situation exists on the primary HSM must be matched on the Backup HSM. |
5 | The local host can see the Backup HSM as a slot in LunaCM. Because the local host views the backup/restore operation in this scenario as a local transaction, between two slots visible to LunaCM on the local host, the remote backup service (RBS) is not needed. |
This scenario avoids the complication of an intermediary computer (as would be needed for true remote backup), but at the cost of giving the authentication keys for all client partitions to an administrator. Your security protocol determines whether this is acceptable.
Backing Up a Remote HSM to a Remotely-Connected Backup HSM
This section describes how to backup a remote HSM to a Backup HSM that is connected over the network to a remote host. In this configuration, you require an orange PED key, imprinted with the Remote PED Vector (RPV) for the HSM you want to back up. To create the orange PED key, you must temporarily connect a PED directly to the HSM you want to back up, as illustrated in the following figure. The figure shows a local admin session to the HSM. You could administer remotely, but this operation nevertheless requires a local PED connection to the HSM and someone there to insert PED keys and press buttons on the PED keypad, so we depict the most likely connection situation - one person doing all jobs at one location. Once the HSM has been matched to an orange Remote PED key, all future authentications can be performed with Remote PED, and the HSM can safely be shipped to its distant location. See Initializing the Remote PED Vector (RPV) and Creating the Orange PED Key.
Figure 1: Creating an orange PED key imprinted with the remote PED vector (RPV) for the HSM
After you have created the orange (RPV) PED key and have the appropriate red (domain) PED keys for the partitions you want to back up, you are ready to configure and use your Remote Backup HSM. In this scenario, you could have as many as three different computers (we depict two for our example) connecting to the SafeNet Luna Network HSM:
>one to run the ssh administrative connection to the shell (lunash:>) on the SafeNet Luna Network HSM appliance
>one to run the Remote PED server, with the Luna PED (in remote mode) connected via USB to the computer and separately connected to the mains electrical power source (see Changing Modes for instructions on changing modes on the Luna PED)
>one to run a client session with vtl and the SafeNet Remote Backup driver, and with the SafeNet Luna Backup HSM with its own local Luna PED attached
As noted previously, the orange PED keys contain a Remote PED Vector (RPV) that matches the RPV inside the SafeNet Luna Network HSM. It is the presence of that RPV at both ends that allows the connection to be made between the HSM and the Remote PED. At the same time, the SafeNet Luna Network HSM and the SafeNet Luna Backup HSM must share the same cloning domain, in order for backup and restore (cloning) operations to take place between the two HSMs. Therefore, red PED keys with that cloning domain must be available.
SafeNet Luna Network HSMs use Remote Backup Service (RBS) to facilitate Remote Backup.
Required Software
LunaCM is required on both the Client (Host) System and on the System Admin computer, but is run on Client (Host) System to launch and manage the backup and restore activity. PEDClient is needed on both the Client (Host) System and the System Admin computer, as well as on any SafeNet Luna Network HSM.
PEDclient is needed on any host that must reach out to a pedserver instance and a Remote PED. PEDclient instances can also communicate with each other to facilitate RBS
PEDserver must reside (and run, waiting for calls) on any computer connected to a Remote PED.
RBS is required on the computer connected to the SafeNet Luna Backup HSM. RBS is not needed on any other computer in the scenario.
Example
The following figure provides an example configuration for backing up a remote HSM to a backup HSM connected to a remote host. This scenario adds an intermediate computer (Client (Host) System) to broker the remote backup of the HSM partitions. That could be a special-purpose computer, or it could simply mean that the Admin on the computer with the Remote Backup HSM is given remote access to each client that normally uses a SafeNet Luna Network HSM partition. The tradeoff is that those clients already have access to their registered partitions, so there is no need for the Remote Backup HSM admin to have client access (PED keys) for those partitions. Your security protocol dictates which scenario is appropriate for you.
Figure 2: Configuration for backing up a remote HSM to a backup HSM connected to a remote host
1 | "Client (Host) System" (1a) is a client of the SafeNet Luna Network HSM being backed up, but "System Admin" (1b) is not a client of SafeNet Luna Network HSM. |
---|---|
2 | LunaCM on "Client (Host) System" (2a) sees the primary (2b) and backup (2c) slots and controls the backup/restore. |
3 | Each SafeNet Luna Network HSM (3a) partition is a slot visible to a "Client (Host) System" (3b) when Client (Host) System runs LunaCM. |
4 | Every slot on the backup (4a) must have same domain (red PED key) as matching slot on the primary HSMs (4b). |
5 | Every primary HSM slot (partition) that is to be backed up or restored must be in login or activated state (black PED keys (5)), so that the Client (Host) System can access it with LunaCM backup or restore commands. |
6 | Backup HSM (6a) is a slot visible to "Client (Host) System" (6b) when Client (Host) System runs LunaCM. |