Backup/Restore Using a Host -Connected Luna Backup HSM (G5)
You can connect the Luna Backup HSM to a USB port on the
This section provides instructions for the following procedures using this kind of deployment:
>Backing Up an Application Partition
>Restoring an Application Partition from Backup
NOTE To perform backup operations on HSM firmware 7.7.0 or newer (V0 or V1 partitions):
> Luna Backup HSM (G7) requires minimum firmware version 7.7.1
> Luna Backup HSM (G5) requires minimum firmware version 6.28.0
You can use a Luna Backup HSM with older firmware to restore objects to a V0 or V1 partition, but this is supported for purposes of getting your objects from the older partitions onto the newer V0 or V1 partitions only.
V0 and V1 partitions are considered more secure than partitions at earlier firmware versions - any attempt to restore from a higher-security status to lower-security status fails gracefully.
SMK backup for appliance is supported only with local connection.
Initializing the Backup HSM
Before you can use the Luna Backup HSM to back up your partition objects, it must be initialized. This procedure is analogous to the standard HSM initialization procedure.
Prerequisites
>Install the Backup HSM at the
>Ensure that the Backup HSM is not in Secure Transport Mode and that any tamper events are cleared (see Backup HSM Secure Transport and Tamper Recovery).
>[PED Authentication] Ensure that you have enough blank or rewritable blue and red PED keys available for your desired authentication scheme (see Creating PED Keys).
•[Local PED] Connect the PED using a 9-pin Micro-D to Micro-D cable. Set the PED to Local PED-SCP mode (see Modes of Operation).
•[Remote PED] Initialize the Backup HSM RPV (see Initializing the Backup HSM Remote PED Vector). You require the orange PED key.
•[Remote PED] Set up a Remote PED server to authenticate the Backup HSM (see Remote PED Setup).
To initialize a host -connected Backup HSM
1.Launch LunaCM on the
2.Set the active slot to the Luna Backup HSM.
lunacm:> slot set -slot <slotnum>
3.[Remote PED] Connect the Backup HSM to the Remote PED server.
lunacm:> ped connect -ip <PEDserver_IP> -port <portnum>
4.Initialize the Backup HSM, specifying a label and the method of authentication (
lunacm:> hsm init -label <label>
You are prompted to set an HSM SO credential and cloning domain for the Backup HSM.
Backing Up an Application Partition
You can use LunaCM to back up the contents of an application partition to the
Prerequisites
>The Backup HSM must be initialized (see Initializing the Backup HSM).
>The following policies are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):
•HSM policy 16: Enable network replication must be set to 1 (ON) on the HSM that hosts the source partition.
•[Pre-7.7.0 and V0 partitions only] Partition policy 0: Allow private key cloning is set to 1 (ON) on the source partition.
•[Pre-7.7.0 and V0 partitions only] Partition policy 4: Allow secret key cloning is set to 1 (ON) on the source partition.
>You must have the Crypto Officer credential
>You must have the Backup HSM SO credential
>[PED Authentication] This procedure is simpler if the source partition is activated (see Activation and Auto-activation on Multi-factor- (PED-) Authenticated Partitions), since you require a Luna PED only for the Backup HSM.
•[Local PED] Connect the PED to the Backup HSM using a 9-pin Micro-D to Micro-D cable.
•[Remote PED] You must have the orange PED key for the Backup HSM (see Initializing the Backup HSM Remote PED Vector). If the source partition is not activated, you may need the orange PED key for the Luna PCIe HSM as well.
•[Remote PED] Set up Remote PED on the workstation you plan to use for PED authentication (see Remote PED Setup). If the partition is not activated, you must connect to PEDserver with ped connect before logging in, and disconnect with ped disconnect before initiating the backup.
To back up an application partition to a host -connected Backup HSM
1.Launch LunaCM on the
2.Set the active slot to the source partition and log in as Crypto Officer.
lunacm:> slot set -slot <slotnum>
lunacm:> role login -name co
3.[PED Authentication] Connect the Backup HSM to the Luna PED.
•[Local PED] Set the mode on the Luna PED to Local PED-SCP (see Modes of Operation).
•[Remote PED] Connect the Backup HSM slot to PEDserver.
lunacm:> ped connect -slot <Backup_HSM_slotnum> -ip <PEDserver_IP> -port <portnum>
4.Back up the partition, specifying the Backup HSM slot and a label for the backup (either a new or existing label). If you specify an existing backup label, include the -append option to add only new objects to the backup (duplicate objects will not be cloned). By default, the existing backup will be overwritten with the current contents of the source partition.
lunacm:> partition archive backup -slot <Backup_HSM_slotnum> [-partition <backup_label>] [-append] [-replace] [-smkonly]
If you omit the -partition option when creating a new backup, the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>) based on the source HSM's internally-set time and date.
If you are backing up a V1 partition, include -smkonly to back up the SMK only. By default, the SMK and any encrypted cryptographic material on the partition are backed up.
The backup begins once you have completed the authentication process. Objects are backed up one at a time. For existing backups, you can use the following options to define how individual objects are backed up:
-append | Add only new objects to an existing backup. |
-replace | Delete the existing objects in a target backup partition and replace them with the contents of the source user partition. This is the default. |
-append and -replace | Add new objects and replace existing objects that have the same OUID but a different fingerprint (such as would occur if any of the object attributes were changed since the previous backup). |
You are prompted to present or set the following credentials:
•[Remote PED] Backup HSM Remote PED vector (orange PED key)
•Backup HSM SO
•Crypto Officer
•Cloning domain
The partition contents are cloned to the backup.
5.[Remote PED] Disconnect the Backup HSM from PEDserver.
lunacm:> ped disconnect
Restoring an Application Partition from Backup
You can use LunaCM to restore the contents of a backup to the original application partition, or any other Luna application partition that shares the same cloning domain.
Prerequisites
>The target partition must be initialized with the same cloning domain as the backup partition.
>The following policies are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):
•HSM policy 16: Enable network replication must be set to 1 (ON) on the HSM that hosts the target partition.
•[Pre-7.7.0 and V0 partitions only] Partition policy 0: Allow private key cloning is set to 1 (ON) on the target partition.
•[Pre-7.7.0 and V0 partitions only] Partition policy 4: Allow secret key cloning is set to 1 (ON) on the target partition.
>You must have the Crypto Officer credentials for the backup partition and the target partition.
>[PED Authentication] This procedure is simpler if the application partition is activated (see Activation and Auto-activation on Multi-factor- (PED-) Authenticated Partitions), since you require a Luna PED only for the Backup HSM.
•[Local PED] Connect the PED to the Backup HSM using a 9-pin Micro-D to Micro-D cable.
•[Remote PED] Set up Remote PED on the workstation you plan to use for PED authentication (see Remote PED Setup). If the partition is not activated, you must connect to PEDserver with ped connect before logging in, and disconnect with ped disconnect before initiating the backup.
To restore the contents of a backup to an application partition
1.Launch LunaCM on the
2.Set the active slot to the target partition and log in as Crypto Officer.
lunacm:> slot set -slot <slotnum>
lunacm:> role login -name co
3.[PED Authentication] Connect the Backup HSM to the Luna PED.
•[Local PED] Set the mode on the Luna PED to Local PED-SCP (see Modes of Operation).
•[Remote PED] Connect the Backup HSM slot to PEDserver.
lunacm:> ped connect -slot <Backup_HSM_slotnum> -ip <PEDserver_IP> -port <portnum>
4.[Optional] Display the available backups by specifying the Backup HSM slot. Each available backup also appears as a slot in LunaCM.
lunacm:> partition archive list -slot <Backup_HSM_slotnum>
5.[Optional] Display the contents of a backup by specifying the Backup HSM slot and the backup partition label in LunaCM.
lunacm:> partition archive contents -slot <backup_slotnum> -partition <backup_label>
6.Restore the partition contents, specifying the Backup HSM slot and the backup you wish to use. By default, duplicate backup objects with the same OUID as objects currently existing on the partition are not restored.
If you have changed attributes of specific objects since your last backup and you wish to revert these changes, include the -replace option.
If you are restoring a V1 partition and you only want to restore the SMK, include the -smkonly option.
lunacm:> partition archive restore -slot <Backup_HSM_slotnum> -partition <backup_label> [-replace] [-smkonly]
You are prompted for the backup's Crypto Officer credential.
The backup contents are cloned to the application partition.