Preparing and Administering SKS Partitions

On this page:

Provisioning SKS  

Replicating the SMK to another SKS Partition  

Backing up the SMK

Restoring the SMK from Backup

Preparing to use SKS

Checklist

The following subsections describe briefly what you need

>to set up one or more SKS partitions ready for use,

>to backup and restore SKS Master Keys (SMK) from-and-to the SKS partition, and

>to directly replicate the SMK from one SKS partition to another for High Availability operation.

Cross-reference links are provided to each topic or section, containing explicit instructions for each task.

Provisioning SKS

>You need at least one Luna Network HSM at appliance software version 7.7.0 or newer and HSM firmware version 7.7.0 or newer, or Luna PCIe HSM at firmware version 7.7.0 or newer.

>If you already have an older 7.x HSM, download and install the updates from the Support Portal.

>Install a suitable Client software that includes a version of the lunacm tool that supports the "partition smkrollover" commands - this ensures that the associated library has the updated SKS capabilities and is also able to handle migration from legacy SKS instances

>Follow the instructions at the beginning of Preparing to use SKS to get the appliance installed and network connected

>If you plan to use an HA group, then repeat the above process with the second Network or PCIe HSM, and again with any additional active or standby members.

Replicating the SMK to another SKS Partition

Stand-alone - If you are using a single HSM with your application, you should have at least one backup copy of the SMK (for each partition) so that any SKS blobs encrypted by that SMK are recoverable in case of loss or damage to the original HSM or partition.

>proceed to Backup the SKS Master Key (SMK).

HA group - If you are using an HA group with your application, then initially, each member has a unique SMK created when its SKS partition is created. For HA operation, the hagroup addmember command replicates the desired SMK from the initial member to all additional members of the group. This means that, in order for a partition to take part in HA operation as the second or later member, its original SMK is overwritten by the SMK of the first member of the group.

>Safeguard the desired SMK by backing it up to a Backup HSM before going further. See SKS Backup and Restore.

NOTE   If an SMK, already existing on a partition, has ever been used to encrypt an SKS key or objects, then you must backup the existing SMK before replacing/overwriting it, if you wish to ever retrieve the previously encrypted SKS key and objects.

>Follow the instructions for using the partition smkclone command in High Availability and SKS.

Backing up the SMK

Always ensure that you have safeguarded any important SMK (one that has been used to encrypt key material for export from the HSM) by backing it up to a Backup HSM partition before you perform any action that might destroy that SMK (such as cloning a different SMK to the current HSM, or restoring a different SMK from a Backup HSM partition).

>To backup, see Backup the SKS Master Key (SMK).

Restoring the SMK from Backup

When you wish to use the SKS partition to encrypt objects or decrypt objects with an SMK other than the SMK that resides in the current partition, you must restore from a Backup of the desired SMK to overwrite the current SMK in the current partition. If the current SMK (before restoring from archive) is valuable, then back it up first before restoring a different SMK to overwrite the current one.

>To restore, see Restore an SKS Master Key (SMK).

Preparing to use SKS

Perform all the steps to install and configure a Luna HSM, as described at Installing and Configuring Your New Luna PCIe HSM.

1.If your HSM is not already at firmware version 7.7.0, follow the instructions in the 7.7.0 Customer Release Notes, to securely copy the Release 7.7.0 Appliance Software Update package to the appliance, and perform the software and firmware update.

NOTE   To update an HA group to firmware 7.7 or newer, all the non-primary partitions must be updated first, to ensure that the key objects from the firmware 7.7-or-newer primary can still move to the non-primaries through key cloning. Then the primary member can be updated.

2.When you reach the steps to create an application partition, ensure that it is created as the default version one (V1), which is necessary for SKS operation.

NOTE   The SKS Master Key (or SMK) is created when the partition Crypto Officer logs in. For security reasons the SMK is not made visible in output of the usual commands that show objects on an HSM partition (lunacm:>partition contents and lunash:>partition showcontents).

3.Go to Using SKS to continue with SKS.