Key Migration Overview

You can migrate key material from an older SafeNet Luna HSMs (5.x or 6.x) to a new (7.x) SafeNet Luna HSM by using one of three methods; backup and restore, cloning, or cloning using a temporarily HA group.

This document guides you through several migration scenarios consisting of older and newer SafeNet Luna HSMs, using each applicable migration method. Before migrating, preconditions are provided for each scenario that must be met. There are specific user roles that are identified for performing the migration. In addition, both authentication methods (password and PED-authenticated) are supported.

Supported SafeNet Luna HSMs

This document describes key migration for these SafeNet Luna HSMs:

> SafeNet Luna Network HSM, version 5.x or 6.x to 7.x

>SafeNet Luna USB HSM, version 5.x or 6.x to 7.x

>SafeNet Luna PCIe HSM, version 5.x or 6.x to 7.x

Migration methods

The three migration methods used in this guide are:

>Backup and restore

The backup and restore method uses the LunaCM partition archive backup command to backup key material on an HSM (5.x or 6.x) partition and the Restore command to then restore this material to an HSM 7.x partition.

>Cloning

The cloning method uses the LunaCM partition clone command to clone from an HSM (5.x or 6.x) partition to an HSM 7.x partition. It is also referred to as slot-to slot cloning.

>Cloning using an HA group

The HA group method uses the LunaCM ha synchronize command on members of a temporary HA group consisting of a 5.x or 6.x HSM and a 7.x HSM, set up solely for the purpose of migration. After migration, this group should be removed since the members are not using the same software version.

Preconditions

Each migration procedure in this document is prefaced by a "Preconditions" section that specifies the hardware and software requirements along with any assumptions the procedure is using to perform the migration steps. Examples are a 5.x or 6.x HSM, a 7.x HSM, 5.x, 6.x or 7.x client software, user roles and the slot #s used in the procedure.

Roles required for migration

The following partition roles are needed to migrate key material:

>Partition Security Officer. The partition security officer role is needed to perform LunaCM HA operations and to create the Crypto Officer role.

>Partition Crypto Officer. The partition Crypto Officer role is needed to perform LunaCM backup/restore and cloning operations.

NOTE   When logging in to a partition, be mindful of whether you’re working with pre-PPSO or PPSO firmware. Use the partition login command if your HSM has pre-PPSO firmware (version 6.21.2 and earlier). Use the role login command if your HSM has PPSO firmware (version 6.22.0 and later). Also, with PPSO firmware 6.22.0 and later (up to but not including firmware 7.x), be careful with user names; that is, type Crypto Officer in full (is case sensitive) and not the abbreviation co.

NOTE   In firmware version release 7.x, partition login name requirements allow for abbreviations. That is, you can log in using po for Partition Security Officer or co for Crypto Officer.


Customer Support Portal

SafeNet Luna PCIe HSM 7.3 Product Documentation  13 December 2019  Copyright 2001-2019 Thales. All rights reserved.