Planning Your Backup HSM Deployment

When setting up your backup deployment, you have multiple configuration options. This section will help you choose the right configuration for your organization, depending on where you prefer to keep your backups. You can use a Luna Backup HSM or an application partition on any other Luna HSM for backup/restore operations.

Backup and restore operations require that cloning be enabled on the HSM/partition.

>Partition to Partition

>Backup HSM Connected to the Host Workstation

>Backup HSM Installed Using Remote Backup Service (RBS)

NOTE   The diagrams below depict the host workstation as the remote PED server, but you can also use a separate remote PED station. Since remote PED is supported on Windows clients only, this will be necessary if you use Linux/UNIX clients.

Partition to Partition

You can clone objects from any Luna 7 application partition to any other Luna 7 partition that shares its cloning domain. You must have the Crypto Officer credential for both partitions. Both partitions must use the same authentication method (either password or PED).

See Cloning Objects to Another Application Partition.

Backup HSM Connected to the Appliance

In this configuration, the Luna Backup HSM is connected directly to one of the USB ports on the Luna PCIe HSM appliance. It is useful in deployments where backups are kept in the same location as the HSM. Backup and restore operations are performed using LunaSH commands via a serial or SSH connection. The Crypto Officer must have admin-level access to LunaSH on the appliance to use this configuration.

Figure 1: Locally-connected Backup HSM using password authentication

Figure 2: Locally-connected Backup HSM using local PED authentication

See "Backup/Restore Using an Appliance-Connected Backup HSM" on page 1.

Backup HSM Connected to the Host Workstation

In this configuration, the Luna Backup HSM is connected to a USB port on the Luna PCIe HSM host workstation. It is useful in deployments where the partition Crypto Officer keeps backups at the local host. This allows you to perform backup/restore operations for all application partitions that appear as visible slots in LunaCM. You can restore a partition backup to the original source partition or to another existing Luna application partition that shares the same cloning domain.

Figure 3: Host-connected Backup HSM using password authentication

Figure 4: Host-connected Backup HSM using local PED authentication

Figure 5: Host-connected Backup HSM using remote PED authentication

See Backup/Restore Using a Host-Connected Luna Backup HSM (G5).

Backup HSM Installed Using Remote Backup Service (RBS)

In this configuration, the Luna Backup HSM is connected to a remote client workstation that communicates with the Luna PCIe HSM host via the Remote Backup Service (RBS). It is useful in deployments where backups are stored in a separate location from the Luna PCIe HSM, to mitigate the consequences of catastrophic loss (fire, flood, etc).

Figure 6: Remote backup (RBS) using password authentication

Figure 7: Remote backup (RBS) using remote PED authentication at the client

Figure 8: Remote backup (RBS) using remote PED authentication at the RBS server

See Configuring a Remote Luna Backup HSM (G5) Server.