token backup
Access the token backup commands.
When to use LunaSH "token backup" commands, or use "vtl backup" commands:
LunaSH token backup commands operate a SafeNet Luna Backup HSM attached directly to SafeNet Luna Network HSM via USB, and are not intended for use with remotely connected backup devices.
You might have a locally-connected backup HSM (connects directly to a SafeNet Luna Network HSM via USB cable) and a locally connected serial terminal and be walking them from SafeNet Luna Network HSM to SafeNet Luna Network HSM in your server room to perform backups. Or you might be administering remotely via SSH and lunash:> commands, while a technician in your server center carries the backup HSM from one SafeNet Luna Network HSM to the next. In either case, these token backup commands are the method to use. The important distinction is where the backup HSM is physically connected - from the SafeNet Luna Network HSM perspective, those are both local backup operations to a backup HSM that is locally connected to the appliance.
VTL backup commands operate a SafeNet Luna Backup HSM connected to a computer, and located distantly from your primary SafeNet Luna Network HSM appliance. The VTL backup commands are not for use with a SafeNet Luna Backup HSM that is connected directly to your SafeNet Luna Network HSM appliance.
For true, hands-off, lights-out operation of your SafeNet appliances, use a SafeNet Luna Backup HSM located in your administrator's office (or other convenient location), connected to a computer acting as a Remote Backup server (this could be your administrative workstation, or it could be a completely separate computer). This means the computer and Backup HSM are located near you and remote/distant from your SafeNet Luna Network HSM appliance(s). For that application, use the backup commands in the VTL utility supplied with the SafeNet Luna Network HSM Client software (which must be installed on the computer that is acting as Remote Backup server) - the appliance token backup commands are not designed to work for Remote Backup.
Syntax
token backup
factoryreset
init
list
login
logout
partition
show
update
Argument(s) | Shortcut | Description |
---|---|---|
factoryreset | f | Reset a backup token to factory default settings. See token backup factoryreset. |
init | i | Initializes the token with the specified serial number and prepares it to receive backup data. See token backup init. |
list | li | List all backup tokens. See token backup list. |
login | logi | Login backup token admin. See token backup login. |
logout | logo | Logout backup token admin. See token backup logout. |
partition | p | Access the token backup partition commands to manage your backup partitions. See token backup partition. |
show | s | Get backup token information. See token backup show. |
update | u | Update commands. See token backup update. |
An external SafeNet Luna Backup HSM can be USB-connected to a SafeNet Luna Network HSM appliance for local backup/restore operations.
SafeNet Luna Network HSM does not pass PED operations and data through to an externally connected SafeNet Luna backup HSM from a Luna PED that is connected locally to the SafeNet Luna Network HSM.
If the external HSM is PED-authenticated, then the options for Luna PED connection are:
>local PED connection, directly to the affected HSM, when needed, or
>Remote PED connection, passed through the SafeNet Luna Network HSM
NOTE Support for locally connected Backup HSM with Remote PED, begins at firmware version 6.10.1 in the external HSM.
NOTE Use of Remote PED with an external device is made possible when you set up with the commands
hsm ped vector init -serial <serial#_of_external_HSM> and
hsm ped connect -serial <serial#_of_external_HSM>
before using token backup commands.
CAUTION! When labeling HSMs or partitions, never use a numeral as the first, or only, character in the name/label. Token backup commands allow a slot-number OR a label as identifier, which can lead to confusion if the label is a string version of a slot number.
For example, if the token is initialized with the label "1
", the user cannot use the label to identify the target for backup purposes, because VTL parses "1
" as the numeric ID of the first slot rather than as a text label for the target in the actual occupied slot.
LunaSH token backup commands on SafeNet Luna Network HSM would be unable to see SafeNet Luna Backup HSM slots maintained by Remote Backup server. Either connect the Backup HSM locally to the SafeNet Luna Network HSM USB port to use token backup commands, or use VTL commands directed to a SafeNet Luna Backup HSM connected to a computer configured as a backup server.