Migrating Keys to Your New HSM
This chapter describes how to migrate your keys and configuration from a Luna HSM 5.x or 6.x partition to a Luna HSM 7.x partition by using one of three methods; backup and restore, cloning, or cloning using a temporarily HA group:
>Luna Network HSM (5.x or 6.x) to Luna Network HSM (7.x)
>Luna USB HSM (5.x or 6.x) to Luna Network HSM (7.x)
>Luna PCIe HSM (5.x or 6.x) to Luna Network HSM (7.x)
>Luna PCIe HSM or Luna USB HSM (5.x or 6.x) to Luna PCIe HSM (7.x)
>Moving from Pre-7.7.0 to Firmware 7.7.0 or Newer
Refer also to the chapter on Key Cloning, particularly Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM.
This document guides you through several migration scenarios consisting of older and newer Luna HSMs, using each applicable migration method. Before migrating, preconditions are provided for each scenario that must be met. There are specific user roles that are identified for performing the migration. In addition, both authentication methods (password and PED-authenticated) are supported.
Supported Luna HSMs
This document describes key migration for these Luna HSMs:
> Luna Network HSM, version 5.x or 6.x to 7.x
>Luna USB HSM, version 5.x or 6.x to 7.x
>Luna PCIe HSM, version 5.x or 6.x to 7.x
Migration methods
The three migration methods used in this guide are:
>Backup and restore
The backup and restore method uses the LunaCM partition archive backup command to backup key material on an HSM (5.x or 6.x) partition and the Restore command to then restore this material to an HSM 7.x partition.
>Cloning
The cloning method uses the LunaCM partition clone command to clone from an HSM (5.x or 6.x) partition to an HSM 7.x partition. It is also referred to as slot-to slot cloning.
>Cloning using an HA group
The HA group method uses the LunaCM ha synchronize command on members of a temporary HA group consisting of a 5.x or 6.x HSM and a 7.x HSM, set up solely for the purpose of migration. After migration, this group should be removed since the members are not using the same software version.
Preconditions
Each migration procedure in this document is prefaced by a "Preconditions" section that specifies the hardware and software requirements along with any assumptions the procedure is using to perform the migration steps. Examples are a 5.x or 6.x HSM, a 7.x HSM, 5.x, 6.x or 7.x client software, user roles and the slot #s used in the procedure.
Roles required for migration
The following partition roles are needed to migrate key material:
>Partition Security Officer. The partition security officer role is needed to perform LunaCM HA operations and to create the Crypto Officer role.
>Partition Crypto Officer. The partition Crypto Officer role is needed to perform LunaCM backup/restore and cloning operations.
NOTE When logging in to a partition, be mindful of whether you’re working with pre-PPSO or PPSO firmware. Use the partition login command if your HSM has pre-PPSO firmware (version 6.21.2 and earlier). Use the role login command if your HSM has PPSO firmware (version 6.22.0 and later). Also, with PPSO firmware 6.22.0 and later (up to but not including firmware 7.x), be careful with user names; that is, type Crypto Officer in full (is case sensitive) and not the abbreviation co.
In firmware version release 7.x, partition login name requirements allow for abbreviations. That is, you can log in using po for Partition Security Officer or co for Crypto Officer.