Backup and Restore

Cryptographic key material can be backed up and then restored to a release 7.x SafeNet Luna PCIe HSM partition using a SafeNet Luna Backup HSM.

The new configuration's operating system must be compatible with both the new 7.x and the old 5.x/6.x hardware. Consult the 5.x/6.x CRN for a list of compatible operating systems.

To backup and restore cryptographic keys from one HSM to another, the HSMs must share the same cloning domain. For password-authenticated HSMs, this domain should have been specified when the partition was initialized. For PED-authenticated HSMs, the red key determines the cloning domain. You will need the same red key that was imprinted during 5.x/6.x partition creation to initialize the 7.x partition (see HSM Initialization).

The 7.x client software should be installed, and the connection to both the source and destination partitions verified, before attempting this procedure (see SafeNet Luna HSM Client Software Installation for details). The source and destination partitions must both be assigned to the client machine issuing the cloning commands. Use slot list to ensure both partitions are visible to the client.

Preconditions

The following instructions assume that:

>the 7.x client software has been installed

>an uninitialized partition has been created on the 7.x HSM

>the source and destination partitions are both registered with the client (visible)

>the source partition's security policy allows cloning of private and secret keys

In the following example:

>Slot 0: the source 5.x/6.x partition

>Slot 1: the destination 7.x partition

>Slot 2: the Backup HSM partition

NOTE   Partition login name requirements have changed with the hardware versions. With release 7.x , you can log in using the abbreviated po (Partition Security Officer) or co (Crypto Officer).

To migrate cryptographic keys from a 5.x/6.x partition to a 7.x partition using a Backup HSM

Follow these steps to back up all cryptographic material on a 5.x/6.x partition to a Backup HSM, and restore to a new 7.x partition.

1.Run LunaCM, set the current slot to the 7.x partition, and initialize the partition and the Partition SO role.

slot set -slot 0

partition init -label <7.x_partition_label>

a.If you are backing up a PED-authenticated 5.x/6.x partition, use the 5.x/6.x partition's red key when prompted.

b.If you are backing up a password-authenticated 5.x/6.x partition, enter the same cloning domain when prompted.

2.Log in as the po (Partition Security Officer) and initialize the co (Crypto Officer) role.

role login -name po

role init -name co

If you are backing up a PED-authenticated 5.x/6.x partition, you can create an optional challenge secret for the Crypto Officer.

role createchallenge -name co -challengeSecret <password>

3.Connect your backup HSM and make sure it is visible to the client, along with the 5.x/6.x and 7.x HSMs.

4.Set the current slot to the source 5.x/6.x slot.

slot list

slot set -slot 0

5.Log in as the Crypto Officer.

NOTE   Be mindful of whether you’re working with pre-PPSO or PPSO firmware and use the partition login or role login commands as specified below. Also, with PPSO firmware 6.22.0 and up, be careful with user names, i.e., type Crypto Officer in full (is case sensitive) and not co.

a.If you are cloning a release 5.x or 6.x pre-PPSO partition (up to and including Firmware 6.21.2), use:

partition login

b.If you are cloning a release 6.x PPSO partition (Firmware 6.22.0 and up) , use:

role login -name Crypto Officer

6.Optional: To verify the objects in the 5.x/6.x partition to be cloned, issue the “partition contents” command.

partition contents

7.Back up the 5.x/6.x partition contents to the Backup HSM.

partition archive backup -slot 2 -partition <backup_label>

a.If you are backing up a PED-authenticated 5.x/6.x partition, use the 5.x/6.x partition's red key when prompted.

b.If you are backing up a password-authenticated 5.x/6.x partition, enter the same cloning domain when prompted.

Optionally, verify that all objects were backed up successfully on the Backup HSM by checking the partition contents.

8.Set the current slot to the 7.x partition, log in as the Crypto Officer, and restore from backup.

slot set -slot 1

role login -name co

partition archive restore -slot 2 -partition <backup_label>

Afterwards, you can verify the partition contents on the 7.x partition:

partition contents


Customer Support Portal

SafeNet Luna PCIe HSM 7.3 Product Documentation  13 December 2019  Copyright 2001-2019 Thales. All rights reserved.