Restore your HSM Partition from Token

A SafeNet Luna PCIe HSM 5.x HSM can have up to 20 partitions, with space for objects per HSM defaulting to 2MB, upgradable to 15.5MB. Each partition on the HSM has a share of that space and can have its own cloning domain as represented by a domain (red) PED key.

The normal backup-and-restore option for SafeNet Luna PCIe HSM 5 partitions uses the external, locally connected or remotely linked (network) SafeNet Luna Backup HSM as the backup repository. The SafeNet Luna Backup HSM supports the same partition structure, storage size, and capacity as the SafeNet Luna PCIe HSM 5's onboard HSM.

In order to provide a migration path from earlier SafeNet Luna PCIe HSM and removable-token format HSMs, it is possible to externally connect a SafeNet DOCK 2 card reader for SafeNet PCM, SafeNet CA4, or SafeNet Luna HSM Backup Token, and to restore/migrate legacy token and partition contents to the current-generation SafeNet Luna PCIe HSM.

Keys (objects) from multiple SafeNet CA4 tokens, SafeNet PCM tokens (Key Export Signing, RA), or with differing cloning domains can be consolidated onto one SafeNet Luna PCIe HSM 5.x HSM, where objects from every token HSM are restored onto a partition corresponding to each token (segregated by legacy cloning domain). So, for example, ten legacy tokens (each with 100 objects) go to ten SafeNet Luna PCIe HSM partitions to accommodate however-many objects existed on all those tokens. The SafeNet Luna PCIe HSM in this example receives 1000 objects, allocated as 100 per partition, with each token migrating to its own SafeNet Luna PCIe HSM partition.

Alternatively, multiple SafeNet CA4 tokens, SafeNet PCM tokens, or SafeNet Luna PCIe HSM Backup Tokens can be restored to the same partition if those SafeNet CA4 (or Backup) tokens share the same domain PED key. So, for example, objects from ten tokens (each with 100 objects) go all on one partition which, at the end of the operation, contains 1000 objects.

Requirements

To restore an HSM partition from a removable token (firmware 4.x), to a SafeNet Luna PCIe HSM 5.x HSM, you must have:

>The SafeNet Backup Token containing the objects to be restored to that HSM

>The authentication (the authentication type must match - if your source tokens are password-authenticated, their contents can be restored/migrated onto a password-authenticated HSM partition only; if your source tokens are PED-authenticated, their contents can be restored/migrated onto a PED-authenticated HSM partition only) for the Backup Token or PCM token, and for the HSM Partition

>SafeNet DOCK 2 card reader

The types of objects that can be migrated also depend on the configurations and policies of the source and destination HSMs. For example, the RA (registration authority) configuration permits cloning of secret keys, but not of private keys, and that intentional, security policy-based limitation applies to the migration/restore-from-legacy operation as well.

In the following examples, the target, or destination partition is called mylunapar2.

For SafeNet Luna PCIe HSM with Password authentication:

1.Create a partition on the SafeNet Luna PCIe HSM 5 HSM :

lunash:>partition create -partition mylunapar2 -password <password> -domain <domain> -force    
  

2.With the SafeNet DOCK 2 reader powered on and connected (USB) to the SafeNet Luna PCIe HSM 5.x, insert a SafeNet Luna PCIe HSM Backup token (or other legacy removable token-format HSM) into the token-reader slot of the SafeNet DOCK.

3.Type the command:

lunash:>partition restore -password mylunapar2 -password <password> [-tokenPar <name>] [-tokenPw <tokenpassword>] -add

For SafeNet Luna PCIe HSM with PED authentication:

1.Create a partition on the SafeNet Luna PCIe HSM 5 HSM:

lunash:>partition create -partition mylunapar2 -force   
 

Both user (black) and domain (red) PED keys are created for SafeNet Luna PCIe HSM 5 partition mylunapar2.

2.With the SafeNet DOCK 2 reader powered on and connected (USB) to your client computer, insert the desired SafeNet Luna PCIe HSM Backup token or SafeNet CA4 token into the token-reader slot of the SafeNet DOCK 2.

3.Leave the SafeNet DOCK 2 powered on and the token in its slot, and transfer its USB cable connection from the client computer to the USB socket on the SafeNet Luna PCIe HSM 5.x. The SafeNet Luna PCIe HSM immediately sees the new token slot, and you can now run LunaSH commands from the SafeNet Luna PCIe HSM against the token.

4.Import the legacy domain:

lunash:>partition setLegacyDomain -partition mylunapar2 [-password <password>] [-domain <domain>]

 

and respond to the PED prompts including presenting the legacy red key.

SafeNet Luna PCIe HSM 5, SafeNet Luna USB HSM, and the SafeNet Remote Backup Device use a newer domain scheme, which is not compatible with legacy HSM domains. The partition setLegacyDomain command prepares a legacy domain in a way that allows it to be recognized and used by a current-model HSM, in special circumstances; the HSM retains its modern domain, but the legacy domain becomes associated with the partition's "real" domain. The association is permanent for the life of that partition.
Intentional,designed-in, data security provisions prevent setting/associating a legacy domain from one SafeNet token to a single SafeNet Luna PCIe HSM 5.x partition, then associating another (different) legacy domain to that same partition and adding the second token's objects to the partition while the first token's objects are stored there. Just as you cannot clone/copy objects from one token to another token with a different domain, you cannot get around that security provision by migrating unmatched domain objects to a single SafeNet Luna PCIe HSM partition.
As long as token HSMs share a common (legacy) domain, you migrate the contents of multiple tokens to a single partition - the legacy domain is set just once for all such tokens.

5.Type the command: 

lunash:>partition restore -partition mylunapar2 -replace -force

 

and respond to the PED prompts. The -replace option overwrites the partition content with objects from the SafeNet CA4 or PCM or Backup token. Use the -add option if you want to append the SafeNet token objects to the partition.

6.Repeat all the above steps to restore objects from other SafeNet tokens onto separate SafeNet Luna PCIe HSM partitions.
Repeat only step 6 with the -add option, instead, to restore objects from other SafeNet tokens onto the same, single SafeNet Luna PCIe HSM 5 partition - this works only if the originating SafeNet tokens all share the same legacy domain. Once a legacy domain is associated with a SafeNet Luna PCIe HSM 5.x partition, that association remains in force for the life of that partition; the HSM does not allow another association (of legacy domain) to be made onto a partition that already has an existing association. The only way to end the association is to destroy the partition (wiping all contents) and create it again.

If you have a PED authenticated token HSM, but did not have MofN authentication applied, then the steps are the same as above except you do not issue the LunaCM partition mofnactivate command.

Backing up the HSM contents to a token-style HSM is not a supported operation for SafeNet Luna PCIe HSM 5.x.

Restore from a legacy backup token is effectively a data migration - one-way only.


Customer Support Portal

SafeNet Luna PCIe HSM 7.3 Product Documentation  13 December 2019  Copyright 2001-2019 Thales. All rights reserved.