partition backup
Back up the application partition contents to a Luna Backup HSM. This command copies the contents of a partition to a partition on the Backup HSM.
If you are creating a new backup partition, it is initialized during this process with the same cloning domain as the source partition. If you are backing up new objects to an existing backup partition with existing backup objects, you are prompted to verify if this destructive command should continue.
NOTE To perform backup operations on HSM firmware 7.7.0 or newer (V0 or V1 partitions):
> Luna Backup HSM (G7) requires minimum firmware version 7.7.1
> Luna Backup HSM (G5) requires minimum firmware version 6.28.0
You can use a Luna Backup HSM with older firmware to restore objects to a V0 or V1 partition, but this is supported for purposes of getting your objects from the older partitions onto the newer V0 or V1 partitions only.
V0 and V1 partitions are considered more secure than partitions at earlier firmware versions - any attempt to restore from a higher-security status to lower-security status fails gracefully.
SMK backup for appliance is supported only with local connection.
Refer to Backing Up to an Appliance-Connected Luna Backup HSM (G7) or Backup/Restore Using an Appliance-Connected Luna Backup HSM (G5) for a list of the required credentials.
User Privileges
Users with the following privileges can perform this command:
>Admin
>Operator
Syntax
partition backup -partition <name> -tokenpar <name> -serial <serialnum> [-password <password>] [-tokensopwd <password>] [-domain <domain>] [-defaultdomain] [-tokenpw <password>] [-add] [-replace] [-force]
Argument(s) | Shortcut | Description |
---|---|---|
-add | -a |
Add objects to the existing backup partition specified with -tokenpar. Incremental backup (append). If the OUIDs of any source objects match OUIDs of objects already stored on the target backup, they are not backed up, and the existing backup objects are not overwritten. You must specify -add or -replace when backing up to an existing backup partition. You do not need to specify these options when backing up a V1 partition, as only the SMK is backed up. |
-defaultdomain | -de | Use the default domain string. Deprecated. This is retained only for benefit of customers who have previously used the default domain, and are constrained to continue using it, until they create new objects on an HSM with a proper domain. For security reasons, avoid using this option. |
-domain <domain> | -do |
Specifies the domain string that was used when creating the source partition. If you do not supply this value on the command line, you are prompted for it. Applies to password-authenticated HSMs only; PED-authenticated HSMs will prompt for the partition's red PED key. If you are creating a new backup partition, the application partition's domain is automatically used to initialize the backup partition. If you are specifying an existing backup partition as destination, the operation will only succeed if the domains match. |
-force | -f | Force the action without prompting. |
-partition <partition_name> | -par | Specifies the name of the source partition from which all data/key objects are backed up. Obtain the partition name by using the partition list command. |
-password <partition password> | -pas | The partition Crypto Officer's password. If you do not supply this value on the command line, you are prompted for it. Applies to password-authenticated HSMs only; PED-authenticated HSMs will prompt for the partition Crypto Officer's black PED key. |
-replace | -r |
Clone objects to the target backup partition, overwriting whatever might already exist there. You must specify -add or -replace when backing up to an existing backup partition. You do not need to specify these options when backing up a V1 partition, as only the SMK is backed up. |
-tokenpar <backup_partition_name> | -tokenpa |
Specifies the name of the destination backup partition on the Backup HSM. If you specify the name of an existing backup, that partition is selected. If no partition exists with the supplied label, one is created. Note: Do not begin your partition label with a numeral. This can later be misinterpreted by some commands as a slot number, rather than a text label, resulting in failure of the command. |
-tokenpw <backup_partition_password> | -tokenpw | Specifies the backup partition's Crypto Officer password. If you do not supply this value on the command line, you are prompted for it. Applies to password-authenticated HSMs only; PED-authenticated HSMs will prompt for the Crypto Officer's black PED key. |
-tokensopwd <backup_HSM_SO_pwd> | -tokens |
The Backup HSM SO's password. If you do not supply this value on the command line, you are prompted for it. Applies to password-authenticated HSMs only; PED-authenticated HSMs will prompt for the Backup HSM SO's blue PED key. The Backup SO password need not be the same password or PED Key as used for the source HSM SO. |
-serial <serial_number> | -s | Specifies the Backup HSM serial number. |
Example
lunash:>partition backup -partition sa78par1 -tokenpar sa78par1backup -serial 496771 Please enter the password for the HSM user partition: > ******** Please enter a password for the user on the backup token: > ******** Please enter the cloning domain set when the HSM user partition was created: > ******** Object "MT RSA 4096-bit Private KeyGen" (handle 70) cloned to handle 14 on target Object "MT RSA 4096-bit Public KeyGen" (handle 69) cloned to handle 18 on target Object "MT RSA 4096-bit Private KeyGen" (handle 53) cloned to handle 19 on target Object "MT RSA 4096-bit Public KeyGen" (handle 54) cloned to handle 23 on target Object "MT RSA 4096-bit Private KeyGen" (handle 52) cloned to handle 24 on target Object "MT RSA 4096-bit Public KeyGen" (handle 47) cloned to handle 28 on target 'partition backup' successful. Command Result : 0 (Success)