Backup & Restore Overview

HSM Partition backup securely clones partition objects from a named HSM Partition, to a SafeNet Luna Backup HSM (which is used whether you back up remotely or locally). This allows you to safely and securely preserve important keys, certificates, etc., away from the SafeNet appliance. It also allows you to restore the backup device's contents onto more than one HSM Partition, if you wish to have multiple partitions with identical contents.

HSM Partition backup command with the add option is a non-destructive process, where the contents of your HSM partition are copied to a matching partition on SafeNet Luna Backup HSM, adding new/changed objects to any that already exist on (that partition of) the backup device.

HSM Partition backup with the replace option is a destructive process (destructive to any material that might already exist on the target Backup partition - it does not affect objects on the partition that are being backed-up).

Backup for SafeNet Luna HSM 5 uses SafeNet Luna Backup HSM to backup and restore individual partitions.

The Backup device is a separately powered unit that can connect to the primary HSM in one of two ways:

>Locally, using direct connection at the host

>Remotely, via USB connection to a backup workstation with secure network connection to SafeNet Luna HSM's host

The backup operation looks a lot like the restore operation, because they are basically the same event, merely in different directions.

Connect

For local backup, connect SafeNet Luna Backup HSM to a power source, and via USB cable to the host's USB port.

For remote backup, connect SafeNet Luna Backup HSM to a power source, and via USB cable to a USB port on your computer.

In both cases, the cable attaches to the port on the back panel of SafeNet Luna Backup HSM, which requires a mini-USB at that end of the cable (similar cable as used to connect computers to cameras, cellphones, etc.)

For PED-authenticated HSMs

At the front panel, connect the SafeNet PED, using the supplied cable between the micro-D subminiature (MDSM) connector on top of the PED, and the matching MDSM connector on the front panel of SafeNet Luna Backup HSM (the connector labeled "PED").

Source and Target - full or partial

Issue the partition backup command.

Identify the partition to be backed up (source), and the partition that will be created (or added to) on the Backup HSM - the Token Partition Name.

Specify whether to add only unique objects (objects that have not previously been saved onto the target partition), or to completely replace the target partition (overwrite it).

In lunacm:> on a workstation, the command is:

lunacm:> partition backup backup -slot <slot> -pas <password> -par <backup partition>

This assumes that the target partition already exists with the appropriate domain.

Domain

If the target partition exists on the Backup HSM, then it must already share its partition domain with the source partition.

If the target partition is being created, then it takes the domain of the source partition.

Multiple partitions, with different domains, can exist on a single SafeNet Luna Backup HSM.

As with backup operations, restore operations can take place only where the source and target partitions have the same domain.

>Full/replace backup or restore creates a new target partition with the same domain as the source partition.

>Partial (additive/incremental) backup or restore requires the existing source and target partitions to have the same domain before the operation can start.

No cross-domain copying (backup or restore) is possible - there is no way to "mix and match" objects from different domains.

Replace or Append

If a matching target partition exists and the source partition is being incrementally backed up - choosing the add option in the command - then the target partition is not erased. Only source objects with unique IDs are copied to the target (backup) partition, adding them to the objects already there.

If a matching target partition exists and the source partition is being fully backed up - choosing the replace option in the command - then the existing partition is erased and a new one created.

PED or Password

SafeNet Luna Backup HSM creates a partition with matching authentication type to the SafeNet Luna PCIe HSM partition that is being backed up.

That does not work in the opposite direction, however. SafeNet Remote Backup Device can restore a partition (or contents of a partition) only to a SafeNet Luna Network HSM of matching authentication type.

You cannot mix partition authentication types on one backup device. That is, if you have a PED-authenticated HSM and a password-authenticated HSM, you require two SafeNet Luna Backup HSMs. Normally this is not a concern because a given installation is likely to employ all SafeNet Luna HSMs of the same authentication type in order to have a backup of each HSM's partitions. There is no possibility of backing up data from a higher-security device (Trusted Path, PED-authenticated, FIPS-3) onto a lower-security device (Password protected, FIPS-2).

However, for HSMs of the same authentication type, you could backup (or restore) partitions from different HSMs onto a single SafeNet Luna Backup HSM, as long as there is sufficient room. Given that the type matches, the authentication (domain) is handled at the partition level.

Remote Backup and Restore

Remote backup and restore follow the rules for local backup and restore, with some additional considerations.

When used in Remote mode, SafeNet Luna Backup HSM is connected via USB to a workstation computer that can be the same host that contains the primary HSM, or can be physically distant.

As of SafeNet Luna HSM 5.2 release, it is convenient to use a single Luna PED (Remote) for PED interaction with both local and remote HSMs.

About HSM Backup - Local and Remote

In many cases, it is sound practice to back up the contents of your SafeNet Luna PCIe HSM, in particular the contents of HSM partitions.

If the important objects are static, then a single backup is sufficient. If important objects change frequently, or if it is important to be able to revert to an identifiable date/time/condition/content, then regular backups are a necessity.

The Backup HSM

SafeNet Luna HSM 5.x backup is performed with the SafeNet Luna Backup HSM. Note that the word "Remote" in that product name merely denotes a capability. The SafeNet Luna Backup HSM also works fine as the local backup device for SafeNet Luna HSM, and is the only device supported for both local or remote backup of SafeNet Luna PCIe HSM.

The options for backup of primary/source SafeNet Luna HSMs are:

>Local backup of any SafeNet Luna HSM, where all components are co-located. This is a possible scenario with all SafeNet Luna HSMs, but is more likely with direct-connect, local-to-the-client HSMs such as SafeNet Luna PCIe HSM. It is unlikely for SafeNet Luna Network HSM, simply because SafeNet Luna Network HSM normally resides in a server rack, distant from its administrators.

>Local backup of SafeNet Luna PCIe HSM, where SafeNet Luna Network HSM is located remotely from a computer that has the SafeNet Luna Backup HSM. This is one of the likely scenarios with SafeNet Luna Network HSM, but requires that the administrator performing backup must have client authentication access to all SafeNet Luna Network HSM partitions.

>Remote backup of any SafeNet HSM, where the SafeNet Luna HSM is located remotely from the computer that has the SafeNet Luna Backup HSM. This scenario requires that the administrator of the SafeNet Luna Backup HSM's host computer connects (via SSH or RDP) to the clients of each HSM partition that is to be backed up. The client performs the backup (or restore) under remote direction.

In Local mode, you connect directly to SafeNet Luna PCIe HSM via USB. That is, local backup is local to the HSM appliance being backed-up, not necessarily local to the administrator who is directing the process, who might be far away.

For remote backup, you connect (again via USB) to a computer running vtl and the driver for the device. Backup and restore are then performed over the secure network connection. For PED-authenticated SafeNet Luna PCIe HSM, you must have a copy of the appropriate red (domain) PED keys, from the SafeNet Luna PCIe HSM, to use with the Backup HSM, in order to perform the copy /cloning (backup and restore) operation between the HSMs.

Local Backup of co-located HSMs

The following diagram depicts the elements and connections of the local backup (and restore) operation, where everything is in one room.

1	LunaCM on Client (Host) System sees the primary and backup slots and controls the backup/restore operation
2	Backup HSM is a slot visible to "Client (Host) System" when Client (Host) System runs LunaCM
3	Primary HSMs are slots visible to "Client (Host) System" when Client (Host) System runs LunaCM
4	Every slot on the backup must have same domain (red PED key) as matching slot on the primary HSMs

For SafeNet Luna Network HSM, the above would be a minority scenario.

The other two backup and restore options:

>Local backup of a distant SafeNet Luna Network HSM

>Remote backup of any SafeNet Luna HSM

... require that PED operations be performed remotely. For that reason, HSMs must be prepared (locally) in advance by having orange Remote PED keys created and matched with each HSM.

Local Backup of a Distant SafeNet HSM

This applies only to SafeNet Luna Network HSM, and is not an option for SafeNet Luna PCIe HSM.

Preparing (configuring) for Remote Backup with Remote PED

While it is standard to remotely administer SafeNet Luna Network HSM, you can also remotely administer an HSM (SafeNet Luna PCIe HSM embedded in a distant host computer by means of an SSH session or an RDP (Remote Desktop Protocol) session. You could administer several such HSMs from a central location, including performing backup and restore operations with a SafeNet Luna Backup HSM connected to your Admin computer (perhaps a laptop).

For PED-authenticated HSMs, this operation requires a PED connection to each primary SafeNet Luna HSM and someone to insert PED keys and press buttons on the PED keypad, which implies Remote PED and Remote Backup. Once the HSM has been matched to an orange Remote PED key, all future authentications can be performed with Remote PED, and the HSM can safely be deployed to its distant location.

Remote Backup

In the following diagram, the preparation (above) has been done, and suitable orange and red PED keys have the appropriate secrets imprinted, to allow Remote PED connection and Remote (or Local) Backup (cloning) respectively.

This scenario is applicable to both SafeNet Luna PCIe HSM and SafeNet Enterprise HSMs with slight differences in handling.

1	LunaCM is on both the Client (Host) System and the Admin System, but is run on Client (Host) System to launch and manage the backup and restore activity.
2	LunaCM on "Client (Host) System" (2a) sees the primary (2b) and backup (2c) slots and controls the backup/restore.
3	>PedClient is needed on both the Client (Host) System and the Admin System >PedClient is needed on any host that must reach out to a pedserver instance and a Remote PED >PedClient instances can also communicate with each other to facilitate RBS
4	Every slot on the backup (4a) must have the same domain (red KED Key) as the matching slot on the primary HSMs (4b).
5	Every primary HSM slot (partition) that is to be backed up or restored must be in login or activated state (black PED keys -(5)), so that the Client (Host) System can access it with lunacm:> backup or restore commands.
6	PedServer must reside (and run, waiting for calls) on any computer connected to a Remote PED.
7	RBS is required on the computer connected to the SafeNet Luna Backup HSM. RBS is not needed on any other computer in the scenario.

As noted previously, the orange PED keys (Remote PED keys or RPK) contain a Remote PED Vector (RPV) that matches the RPV inside the SafeNet Luna HSM. It is the presence of that RPV at both ends that allows the connection to be made between the HSM and the Remote PED.

About HSM Backup - Local and Remote

In many cases, it is sound practice to back up the contents of your SafeNet Luna Network HSM, in particular the contents of HSM partitions.

The Backup HSM

The options for backup of primary/source SafeNet Luna HSMs are:

>Local backup of SafeNet Luna Network HSM, where SafeNet Luna Network HSM is located remotely from a computer that has the SafeNet Luna Backup HSM. This is one of the likely scenarios with SafeNet Luna Network HSM, but requires that the administrator performing backup must have client authentication access to all SafeNet Luna Network HSM partitions.

In Local mode, you connect directly to SafeNet Luna Network HSM via USB. That is, local backup is local to the HSM appliance being backed-up, not necessarily local to the administrator who is directing the process, who might be far away.

For remote backup, you connect (again via USB) to a computer running vtl and the driver for the device. Backup and restore are then performed over the secure network connection. For PED-authenticated SafeNet Luna Network HSM, you must have a copy of the appropriate red (domain) PED keys, from the SafeNet Luna Network HSM, to use with the Backup HSM, in order to perform the copy /cloning (backup and restore) operation between the HSMs.

Local Backup of co-located HSMs

The following diagram depicts the elements and connections of the local backup (and restore) operation, where everything is in one room.

1	LunaCM on Client (Host) System sees the primary and backup slots and controls the backup/restore operation
2	Backup HSM is a slot visible to "Client (Host) System" when Client (Host) System runs LunaCM
3	Primary HSMs are slots visible to "Client (Host) System" when Client (Host) System runs LunaCM
4	Every slot on the backup must have same domain (red PED key) as matching slot on the primary HSMs

For SafeNet Luna Network HSM, the above would be a minority scenario.

The other two backup and restore options:

>Local backup of a distant SafeNet Luna Network HSM

>Remote backup of any SafeNet Luna HSM

... require that PED operations be performed remotely. For that reason, HSMs must be prepared (locally) in advance by having orange Remote PED keys created and matched with each HSM.

Local Backup of a Distant SafeNet HSM

This applies only to SafeNet Luna Network HSM, and is not an option for SafeNet Luna PCIe HSM.

Preparing (configuring) for Remote Backup with Remote PED

Remote Backup

This scenario is applicable to both SafeNet Luna PCIe HSM and SafeNet Enterprise HSMs with slight differences in handling.

1	LunaCM is on both the Client (Host) System and the Admin System, but is run on Client (Host) System to launch and manage the backup and restore activity.
2	LunaCM on "Client (Host) System" (2a) sees the primary (2b) and backup (2c) slots and controls the backup/restore.
3	>PedClient is needed on both the Client (Host) System and the Admin System >PedClient is needed on any host that must reach out to a pedserver instance and a Remote PED >PedClient instances can also communicate with each other to facilitate RBS
4	Every slot on the backup (4a) must have the same domain (red KED Key) as the matching slot on the primary HSMs (4b).
5	Every primary HSM slot (partition) that is to be backed up or restored must be in login or activated state (black PED keys -(5)), so that the Client (Host) System can access it with lunacm:> backup or restore commands.
6	PedServer must reside (and run, waiting for calls) on any computer connected to a Remote PED.
7	RBS is required on the computer connected to the SafeNet Luna Backup HSM. RBS is not needed on any other computer in the scenario.