partition archive restore
Restore partition objects from a backup. Use this command to restore objects from the specified backup partition, in a backup HSM, in a specified slot, to the current user partition.
Cloning is a repeating atomic action
When you call for a cloning operation (such as backup or restore), the source HSM transfers each object one at a time, encrypted with the source domain. If the source is a V0 or pre-7.7.0 partition, the target HSM then decrypts and verifies each received blob. If the source is a V1 partition, the blob remains encrypted on the Backup HSM. See What are "pre-firmware 7.7.0", and V0, and V1 partitions? for more information.
If the verification is successful, the object is stored at its destination – the domains are a match. If the verification fails, then the blob is discarded and the target HSM reports the failure. If the domain string or the domain PED key used to create the target partition did not match the domain of the source HSM partition, the operation fails with the error CKR_CERTIFICATE_INVALID. If the source is a partition using Luna HSM firmware older than 7.7.0, the source HSM moves to the next item in the object list and attempts to clone again, until the end of the list is reached. If the source is a V0 or V1 partition, the restore operation ends when the first object fails.
NOTE To perform backup operations on HSM firmware 7.7.0 or newer (V0 or V1 partitions):
> Luna Backup HSM (G7) requires minimum firmware version 7.7.1
> Luna Backup HSM (G5) requires minimum firmware version 6.28.0
You can use a Luna Backup HSM with older firmware to restore objects to a V0 or V1 partition, but this is supported for purposes of getting your objects from the older partitions onto the newer V0 or V1 partitions only.
V0 and V1 partitions are considered more secure than partitions at earlier firmware versions - any attempt to restore from a higher-security status to lower-security status fails gracefully.
SMK backup for appliance is supported only with local connection.
Backup and Cloning support matrix
| to HSM Firmware pre-7.7 | to HSM Firmware 7.7 (or newer) V0 | to HSM Firmware 7.7 (or newer) V1 | |
|---|---|---|---|
| from HSM Firmware pre-7.7 | Yes | Yes | Yes |
| from HSM Firmware 7.7 (or newer) V0 | No | Yes | Yes |
| from HSM Firmware 7.7 (or newer) V1 | No | No | Yes |
Syntax
partition archive restore -slot <backup_slot> -partition <backup_partition> -password <password> [-replace] [-smkonly] [-debug] [-force]
| Argument(s) | Shortcut | Description |
|---|---|---|
| -debug | -deb | Turn on additional error information (optional). |
| -force | -f | Force action with no prompting. |
| -partition <backup_partition> | -par | Partition on the backup device. (maximum length of 64 characters) . |
| -password <password> | -pas | User password for the specified partition. |
| -replace | -r | Allow objects in the target user partition with the same OUID as the backup objects to be deleted and replaced. Objects with the same OUID are replaced only if they differ from the backup objects in some way. For example, if the object attributes have changed since the last backup, the object is replaced. |
| -slot <see description> | -s |
Target slot containing the backup device. It can be specified by any of the following: > <slot number>, if the backup slot is in the current system. >direct to specify a USB attached backup device. If you know the slot number that contains the USB attached HSM, you can specify that slot number explicitly (for example, -s 5) |
| -smkonly | -smk |
Restore the SKS Master Key (SMK) without objects. This option applies to Luna HSM firmware 7.7.0 and newer. |
Example
lunacm:> partition archive restore -slot 6 -password Pa$$w0rd -partition mybackupPar
Logging in to partition mybackupPar on slot 6 as the user.
Verifying that all objects can be restored...
1 object will be restored.
Restoring objects...
Cloned object 50 from partition mybackupPar (new handle 39).
Restore Complete.
1 objects have been restored from partition mybackupPar on slot 6.
Command Result : No Error
