Restoring From an Appliance-Connected Luna Backup HSM (G7)

Restoring objects from a backup is essentially the same as the backup procedure, except in reverse. That is, a Crypto Officer can restore the objects from a backup partition to a new or existing user partition, provided they have the credentials required to access the objects in the backup and user partitions.

NOTE   This functionality requires minimum Luna appliance software 7.7.0. See Version Dependencies by Feature for more information.

If partition policy 37: Force Secure Trusted Channel is enabled on the partition, you cannot use this backup/restore configuration. The Backup HSM must be connected to the client (see Backing Up to a Client-Connected Luna Backup HSM (G7) ).

The procedure is different for PED-authenticated and password-authenticated backups, as detailed in the following sections:

>Restoring a PED-Authenticated Partition

>Restoring a Password-Authenticated Partition

Restoring a PED-Authenticated Partition

You can restore the objects from a PED-authenticated backup partition to a PED-authenticated user partition. You can restore to an existing user partition, or you can create a new user partition and restore the objects to the new partition.

Summary

To restore the objects from a backup, you connect the backup HSM and a remote PED (either locally using USB or remotely using hsm ped connect) to the Luna Network HSM appliance that hosts the slot for the user partition you want to restore to, and perform the following tasks, as detailed in To restore a PED-authenticated partition :

1.Log in to the appliance (LunaSH) as admin, or other admin-level user.

2. Perform the restore operation (partition restore) and respond to the prompts for the following PED keys:

<source> backup partition

>Remote PED Vector (orange)

>HSM SO (blue)

>Partition SO (PO) (blue)

>Crypto officer (CO) (black)

>Domain (red)
<target> user partition

>Remote PED Vector (orange)

>Crypto officer (CO) (black)

Prerequisites

Before beginning, ensure that you have satisfied the following prerequisites:

>You are familiar with the concepts in PED Authentication.

>You have the required credentials listed in the summary above.

TIP   To simplify the restore process and minimize interactions with the PED, it is recommended that you activate the CO role on the user partitions you want to restore to. See Activation and Auto-activation on Multi-factor- (PED-) Authenticated Partitions for more information.

>You are able to log in to the Luna Network HSM using an admin-level account to access LunaSH.

>The following policies are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):

HSM policy 16: Enable network replication must be set to 1 (ON) on the HSM that hosts the user partition you want to restore to.

[Pre-7.7.0 and V0 partitions only] Partition policy 0: Allow private key cloning must be set to 1 (ON) on the user partition you want to restore to.

[Pre-7.7.0 and V0 partitions only] Partition policy 4: Allow secret key cloning must be set to 1 (ON) on the user partition you want to restore to.

To restore a PED-authenticated partition

1.Configure your Luna HSM Client workstation using one of the following configurations:

a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.

b.Connect the backup HSM directly to one of the USB ports on the Luna Network HSM appliance using the included USB cable.

c.Connect the Remote PED to the Luna Network HSM appliance. You can connect a Remote PED directly to one of the USB ports on the Luna Network HSM appliance using the included USB cable, or you can connect to a network-attached Luna HSM Client workstation that hosts a remote PED.

If you connect the Remote PED directly to a USB port on the appliance, use the appliance loopback IP address (127.0.0.1) to connect to the local pedserver service running on the appliance, and specify the serial number of the connected backup HSM you want to use. The pedserver service must be running on the appliance. You can use the lunash:> service commands to administer the service:

lunash:> hsm ped connect -ip 127.0.0.1 -serial <backup_hsm_serial_number>

If you are using a network-attached Remote PED, use to connect to the IP address of the workstation used to host the Remote PED. This can be the same workstation you are using to host the LunaSH session, or a different workstation.

lunash:> hsm ped connect

NOTE   You can connect the backup HSM to any USB port on the client workstation or Luna Network HSM appliance. Do not attempt to connect the backup HSM to the USB port on the HSM card.

2.Get the serial number of the backup HSM, or read the serial number from the Backup HSM display screen:

lunash:> token backup list

3. Initiate the restore operation:

lunash:> partition restore -partition <target_user_partition_label> -tokenpar <source_backup_partition_label> -serial <backup_hsm_serial_number> {-add | -replace}

Use the -add option to add only new objects, or the -replace option to add new objects and overwrite existing objects.

CAUTION!   If you are restoring a V1 backup to a V1 partition, use -add to restore the SMK. Use -replace only if you wish to erase any existing cryptographic material on the target partition. By default, V1 backups only include the SMK.

4.Respond to the prompts on the PED to insert the following keys:

<source> backup partition

>Remote PED Vector (orange). This is an existing key that was created when the backup HSM was initialized.

>HSM SO (blue). This is an existing key that was created when the backup HSM was initialized.

>Partition SO (PO) (blue). This is an existing key that was created when the backup partition was created.

>Crypto officer (CO) (black). This is an existing key that was created when the backup partition was created.

>Domain (red). The backup HSM and the partition you want to backup must be members of the same domain.
<target> user partition

>Remote PED Vector (orange). This is an existing key that was created when the Luna Network HSM was initialized.

>Crypto officer (CO) (black). This is an existing key that was created when the user partition was created. If the partition is activated, you are prompted to provide the challenge password only. You do not need to provide the PED key.

The restore operation begins once you have completed the authentication process. Objects are restored one at a time.

5.Disconnect the PED when done:

If you connected the Remote PED directly to a USB port on the appliance:

lunash:> hsm ped disconnect -serial <backup_hsm_serial_number>

If you connected to a network-attached Remote PED:

lunash:> hsm ped disconnect

Restoring a Password-Authenticated Partition

You can restore the objects from a password-authenticated backup partition to a password-authenticated user partition. You can restore to an existing user partition, or you can create a new user partition and restore the objects to the new partition.

Summary

To restore the objects from a backup, you connect the backup HSM to the Luna Network HSM appliance that hosts the slot for the user partition you want to restore to, and perform the following tasks, as detailed in To restore a password-authenticated partition:

1.Log in to the appliance (LunaSH) as admin, or other admin-level user.

2. Perform the restore operation (partition restore) and respond to the prompts for the following passwords:

<source> backup partition

>HSM SO.

>Partition SO (PO).

>Crypto officer (CO).

>Domain.
<target> user partition

>Crypto officer (CO).

Prerequisites

Before beginning, ensure that you have satisfied the following prerequisites:

>You have the credentials listed in the summary above.

>You are able to log in to the Luna Network HSM appliance using an admin-level account to access LunaSH.

>[Pre-7.7.0 and V0 partitions only] The following policies are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):

HSM policy 16: Enable network replication must be set to 1 (ON) on the HSM that hosts the user partition you want to restore to.

Partition policy 0: Allow private key cloning must be set to 1 (ON) on the user partition you want to restore to.

Partition policy 4: Allow secret key cloning must be set to 1 (ON) on the user partition you want to restore to.

To restore a password-authenticated partition

1.Configure your Luna Network HSM as illustrated below:

a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.

b.Connect the backup HSM directly to the Luna Network HSM using the included USB cable.

2.Initiate the restore operation:

lunash:> partition restore -partition <target_user_partition_label> -tokenpar <backup_partition_label> -serial <backup_hsm_serial_number> {-add | -replace}

Use the -add option to add only new objects, or the -replace option to add new objects and overwrite existing objects.

CAUTION!   If you are restoring a V1 backup to a V1 partition, use -add to restore the SMK. Use -replace only if you wish to erase any existing cryptographic material on the target partition. By default, V1 backups only include the SMK.

3.Respond to the prompts for the following passwords:

<source> backup partition

>Crypto officer (CO). This is an existing password that was created when the backup partition was created.
<target> user partition

>Crypto officer (CO). This is an existing password that was created when the user partition was created.

The restore operation begins once you have completed the authentication process. Objects are restored one at a time.