Backing Up to an Appliance-Connected Luna Backup HSM (G7)
You can connect a Luna Backup HSM (G7) to a USB port on the Luna Network HSM appliance to allow a Crypto Officer (CO) to use LunaSH (via a serial or SSH connection to the appliance) to backup the objects on any partition the CO can log in to on the appliance. You can connect the backup HSM to the Luna Network HSM only when you want to perform a backup/restore, or you can leave the backup HSM connected to the appliance to enable remote backups.
NOTE This functionality requires minimum Luna appliance software 7.7.0. See Version Dependencies by Feature for more information.
If partition policy 37: Force Secure Trusted Channel is enabled on the partition, you cannot use this backup/restore configuration. The Backup HSM must be connected to the client (see Backing Up to a Client-Connected Luna Backup HSM (G7) ).
To perform a backup/restore, you connect the backup HSM to a USB port on the Luna Network HSM that hosts the partition you want to backup, and run the LunaSH partition backup or partition restore commands.
Backups are created and stored as partitions within the Admin partition on the backup HSM. A new backup partition is created on initial backup. For subsequent backups, you can choose to replace the contents of the existing <target> backup partition with the current <source> user partition objects, or add new objects in the <source> user partition to the existing <target> backup partition. You can restore a backup to a new or existing user partition that shares the same domain as the backup partition.
In addition to the credentials listed in Backup and Restore Using a Luna Backup HSM (G7), the Crypto Officer requires admin-level access to the appliance to access the LunaSH partition backup and partition restore commands (see Appliance Users and Roles).
NOTE To perform backup operations on HSM firmware 7.7.0 or newer (V0 or V1 partitions):
> Luna Backup HSM (G7) requires minimum firmware version 7.7.1
> Luna Backup HSM (G5) requires minimum firmware version 6.28.0
You can use a Luna Backup HSM with older firmware to restore objects to a V0 or V1 partition, but this is supported for purposes of getting your objects from the older partitions onto the newer V0 or V1 partitions only.
V0 and V1 partitions are considered more secure than partitions at earlier firmware versions - any attempt to restore from a higher-security status to lower-security status fails gracefully.
SMK backup for appliance is supported only with local connection.
The procedure is different for PED-authenticated and password-authenticated backups, as detailed in the following sections:
>Backing Up a PED-Authenticated Partition
>Backing Up a Password-Authenticated Partition
Backing Up a PED-Authenticated Partition
You require a PED-authenticated backup HSM to backup a PED-authenticated user partition. You also require a remote PED, which you connect directly to one of the USB ports on the Luna Network HSM appliance using the included USB cable, or remotely to a network-attached Luna HSM Client workstation that hosts a remote PED:
NOTE A remote PED connected to the USB port on the appliance uses the appliance pedserver service. If the PED is not responding, use the lunash:> service commands to verify the service status and restart if necessary. The PED must be in Remote mode.
Summary
To perform a backup, you connect the backup HSM and a remote PED (using a USB or network connection) to the Luna Network HSM appliance that hosts the slot for the user partition you want to backup, and perform the following tasks, as detailed in To backup a PED-authenticated partition:
1.Log in to the appliance (LunaSH) as admin, or other admin-level user.
2.Connect the Remote PED (hsm ped connect) to the appliance loopback IP (127.0.0.1) or remote host IP.
3. Perform the backup operation (partition backup) and respond to the prompts for the following PED keys:
| <source> partition |
>Remote PED Vector (orange) >Crypto officer (CO) (black) |
| <target> backup partition |
>Remote PED Vector (orange) >HSM SO (blue) >Partition SO (PO) (blue) >Crypto officer (CO) (black) >Domain (red). |
Prerequisites
Before beginning, ensure that you have satisfied the following prerequisites:
>You are familiar with the concepts in PED Authentication.
TIP To simplify the backup process and minimize interactions with the PED, it is recommended that you activate the CO role on the user partitions you want to backup. See Activation and Auto-activation on Multi-factor- (PED-) Authenticated Partitions for more information.
>You are able to log in to the Luna Network HSM using an admin-level account to access LunaSH.
>You have the required credentials as listed in the summary above.
>The following policies are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):
•HSM policy 16: Enable network replication must be set to 1 (ON) on the HSM that hosts the user partition.
•[Pre-7.7.0 and V0 partitions only] Partition policy 0: Allow private key cloning is set to 1 (ON) on the user partition.
•[Pre-7.7.0 and V0 partitions only] Partition policy 4: Allow secret key cloning is set to 1 (ON) on the user partition.
To backup a PED-authenticated partition
1.Configure your Luna Network HSM appliance using one of the following configurations:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to one of the USB ports on the Luna Network HSM appliance using the included USB cable.
c.Connect the Remote PED to the Luna Network HSM appliance. You can connect a Remote PED directly to one of the USB ports on the Luna Network HSM appliance using the included USB cable, or you can connect to a network-attached Luna HSM Client workstation that hosts a remote PED:
–If you connect the Remote PED directly to a USB port on the appliance, use the appliance loopback IP address (127.0.0.1) to connect to the local pedserver service running on the appliance, and specify the serial number of the connected backup HSM you want to use. The pedserver service must be running on the appliance. You can use the lunash:> service commands to administer the service:
lunash:> hsm ped connect -ip 127.0.0.1 -serial <backup_hsm_serial_number>
–If you are using a network-attached Remote PED, connect to the IP address of the workstation used to host the Remote PED. This can be the same workstation you are using to host the LunaSH session, or a different workstation.
lunash:> hsm ped connect -ip <remote_ped_host_ip_address>
NOTE You can connect the backup HSM to any USB port on the client workstation
2.Get the serial number of the backup HSM, or read the serial number from the backup HSM display screen.
lunash:> token backup list
3. Initiate the backup operation:
lunash:> partition backup -partition <source_partition_label> -serial <backup_hsm_serial_number> [-tokenpar <target_backup_partition_label>] [-add | -replace]
NOTE You must specify -add or -replace when backing up to an existing backup partition. Use -add to add only new objects. Use -replace to add new objects and overwrite existing objects. You do not need to specify these options when backing up a V1 partition, as only the SMK is backed up.
If you omit the -tokenpar option when creating a new backup, the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>) based on the source HSM's internally-set time and date.
If the backup operation is interrupted (if the Backup HSM is unplugged, or if you fail to respond to PED prompts, for example), the Backup HSM's full available space can become occupied with a single backup partition. If this occurs, delete the backup partition with lunash:> token backup partition delete before reattempting the backup operation.
4.Respond to the prompts on the PED to insert the following keys:
| <source> partition |
>Remote PED Vector (orange) >Crypto officer (CO) (black). If the partition is activated, you are prompted to provide the challenge password only. You do not need to provide the PED key. |
| <target> backup partition |
>Remote PED Vector (orange). This is an existing key that was created when the backup HSM was initialized. >HSM SO (blue). This is an existing key that was created when the backup HSM was initialized. >Partition SO (PO) (blue). •If this is the first time the <source> user partition is being backed up to this backup HSM, you are prompted to initialize the backup Partition SO role by creating a new key or reusing an existing key (SETTING SO PIN). After you initialize the role, you are prompted to insert the key again to log in to the role (SO LOGIN). •For all subsequent backups, you must present the key used to initialize the backup partition SO role. >Crypto officer (CO) (black): •If this is the first time the <source> user partition is being backed up to this backup HSM, you must first initialize the backup partition CO role. This requires partition SO credentials, so you are prompted for the blue (Partition SO) key. After authenticating as the partition SO, you are prompted to initialize the backup partition CO role by creating a new key or reusing an existing key (SETTING SO PIN). After you initialize the partition CO role, you are prompted to insert the key again to log in to the role (SO LOGIN). •For all subsequent backups, you must present the key used to initialize the backup partition CO role. >Domain (red). The backup HSM and the partition you want to backup must be members of the same domain. |
The backup begins once you have completed the authentication process. Objects are backed up one at a time.
5.Disconnect the PED when done:
•If you connected the Remote PED directly to a USB port on the appliance:
lunash:> hsm ped disconnect -serial <backup_hsm_serial_number>
•If you connected to a network-attached Remote PED:
lunash:> hsm ped disconnect
6.If this is the first backup to the <target> backup partition, use the Duplicate function on the PED to create and label a set of backup keys for the new <target> backup partition PSO (blue) and CO (black) keys. See Duplicating Existing PED Keys for details.
Backing Up a Password-Authenticated Partition
You require a password-authenticated backup HSM to backup a password-authenticated user partition.
Summary
To perform a backup, you connect the backup HSM and a remote PED (using a USB or network connection) to the Luna Network HSM appliance that hosts the slot for the user partition you want to backup, and perform the following tasks, as detailed in To backup a password-authenticated partition :
1.Log in to the appliance (LunaSH) as admin, or other admin-level user.
2. Perform the backup operation (partition backup) and respond to the prompts for the following passwords:
| <source> partition |
>Crypto officer (CO) |
| <target> backup partition |
>HSM SO >Partition SO (PO) >Domain. The backup HSM and the partition you want to backup must be members of the same domain. |
Prerequisites
Before beginning, ensure that you have satisfied the following prerequisites:
>You are able to log in to the Luna Network HSM using an admin-level account to access LunaSH.
>You have the required credentials as listed in the summary above.
>The following policies are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):
•HSM policy 16: Enable network replication must be set to 1 (ON) on the HSM that hosts the user partition.
•[Pre-7.7.0 and V0 partitions only] Partition policy 0: Allow private key cloning is set to 1 (ON) on the user partition.
•[Pre-7.7.0 and V0 partitions only] Partition policy 4: Allow secret key cloning is set to 1 (ON) on the user partition.
To backup a password-authenticated partition
1.Configure your Luna Network HSM as illustrated below:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to the Luna Network HSM using the included USB cable.
2.Get the serial number of the backup HSM, or read the serial number from the Backup HSM display screen.
lunash:> token backup list
3.Initiate the backup operation:
lunash:> partition backup -partition <source_partition_label> -serial <backup_hsm_serial_number> [-tokenpar <target_backup_partition_label>] [-add | -replace]
NOTE You must specify -add or -replace when backing up to an existing backup partition. Use -add to add only new objects. Use -replace to add new objects and overwrite existing objects. You do not need to specify these options when backing up a V1 partition, as only the SMK is backed up.
If you omit the -tokenpar option when creating a new backup, the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>) based on the source HSM's internally-set time and date.
If the backup operation is interrupted (if the Backup HSM is unplugged, for example), the Backup HSM's full available space can become occupied with a single backup partition. If this occurs, delete the backup partition with lunash:> token backup partition delete before reattempting the backup operation.
4.Respond to the prompts for the following passwords:
| <source> partition |
>Crypto officer (CO) |
| <target> backup partition |
>HSM SO. This is an existing password that was created when the backup HSM was initialized. It is required to create or access the backup partition in the Admin slot. >Partition SO (PO). You will create a new password on the initial backup, and use the password for subsequent backups to the <target> backup partition. >Domain. The backup HSM and the partition you want to backup must be members of the same domain. |
The backup begins once you have completed the authentication process. Objects are backed up one at a time.
