Restoring From a Client-Connected Luna Backup HSM (G7)

Restoring objects from a backup is essentially the same as the backup procedure, except in reverse. That is, a Crypto Officer can restore the objects from a backup partition to a new or existing user partition, provided they have the credentials required to access the objects in the backup and user partitions.

The procedure is different for PED-authenticated and password-authenticated backups, as detailed in the following sections:

>Restoring a Multi-factor- (PED-) Authenticated Partition

>Restoring a Password-Authenticated Partition

NOTE This feature requires minimum Luna HSM Client 10.1.0. See Version Dependencies by Feature for more information.

Restoring a Multi-factor- (PED-) Authenticated Partition

You can restore the objects from a PED-authenticated backup partition to a PED-authenticated user partition. You can restore to an existing user partition, or you can create a new user partition and restore the objects to the new partition.

Summary

To restore the objects from a backup, you connect the backup HSM and a remote PED to the Luna HSM Client workstation that hosts the slot for the user partition you want to restore from backup and perform the following tasks.

1.Log in to the user partition you want to restore to as the Crypto Officer (CO):

•If the user partition is activated, you need to provide the challenge secret.

•If the user partition is not activated, you need to open a remote PED connection to the HSM that hosts the user partition you want to restore to, and use the required PED keys to log in to the user partition as the Crypto Officer (CO).

2.Open a remote PED connection to the backup HSM.

3. Perform the restore operation and respond to the prompts for the HSM SO, partition SO (PO), crypto officer (CO), and domain PED keys for the backup HSM/partition. The backup HSM and the partition you want to restore to must be members of the same domain.

Prerequisites

Before beginning, ensure that you have satisfied the following prerequisites:

>You are familiar with the concepts in PED Authentication.

>You have the credentials listed in the summary above.

TIP To simplify the restore process and minimize interactions with the PED, it is recommended that you activate the CO role on the user partitions you want to restore to. See Activation and Auto-activation on Multi-factor- (PED-) Authenticated Partitions for more information.

>The following polices are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):

•HSM policy 16: Enable network replication must be set to 1 (ON) on the HSM that hosts the target user partition.

•[Pre-7.7.0 and V0 partitions only] Partition policy 0: Allow private key cloning must be set to 1 (ON) on the target user partition.

•[Pre-7.7.0 and V0 partitions only] Partition policy 4: Allow secret key cloning must be set to 1 (ON) on the target user partition.

To restore a PED-authenticated partition

1.Configure your Luna HSM Client workstation using one of the following configurations:

a.Install the required client software on the Luna HSM Client workstation. See Luna HSM Client Software Installation for details.

b.Connect the backup HSM directly to the Luna HSM Client workstation using the included USB cable.

NOTE On most workstations, the USB connection provides adequate power to the backup HSM and it will begin the boot sequence. If you are using a low-power workstation, such as a netbook, the USB connection may not provide adequate power, in which case you will also need to connect the external power supply.

c.Connect the PED to the Luna HSM Client workstation used to host the remote PED, using the PED USB cable.

NOTE You connect to the remote PED using the IP address of the workstation used to host the PED. This can be the same workstation that hosts the user and backup partition slots, or a different workstation. The workstation used to host the PED must be running pedserver.

2.Ensure that HSM policy 16: Enable network replication is set to 1 on the HSM that hosts the user partition you want to restore to. See HSM Capabilities and Policies for more information.

3.Start the pedserver service on the workstation used to host the remote PED:

Windows	C:\Program Files\Safenet\LunaClient> pedserver -mode start
Linux	/usr/safenet/lunaclient> pedserver -mode start

4.Launch LunaCM on the workstation that hosts the user and backup partition slots.

5.Identify the slot assignments for:

• the user partition you want to restore to.

•the backup HSM admin partition (where all backups are stored).

lunacm:> slot list

If you cannot see both slots, check your connections or configure your client as required.

6.Select the user partition you want to restore from backup:

lunacm:> slot set -slot <slot_id>

7.Authenticate as the Crypto Officer (CO) to the selected user partition:

•If the partition is activated, proceed as follows:

i.Log in to the selected user partition as the Crypto Officer (CO):

lunacm:> role login -name co

•If the partition is not activated, proceed as follows:

i.Connect to the Luna HSM Client workstation that hosts the PED. If defaults are not ped set, specify an IP address (and port if required; 1503 is default).

lunacm:> ped connect [-ip <pedserver_host_ip>]

ii.Log in to the selected user partition as the Crytpo Officer (CO).

lunacm:> role login -name co

iii.Respond to the prompts on the PED to provide the the orange (PED vector) key(s) and PIN for the HSM that hosts the user partition you want to restore from backup and the black (CO) key(s) and PIN for the CO role on the user partition you want to restore from backup.

iv.Disconnect the PED session. Note that you will remain logged in to the selected user partition.

lunacm:> ped disconnect

8.Connect the PED to the backup HSM. If defaults are not ped set, specify an IP address (and port if required; 1503 is default):

lunacm:> ped connect [-ip <pedserver_host_ip>]

9.Initiate the restore operation. Respond to the prompts on the PED to insert the required PED keys.

lunacm:> partition archive restore -slot <backup_HSM_admin_slot> -partition <target_partition_label> [-replace] [-smkonly]

The restore operation begins once you have completed the authentication process. Objects are restored one at a time. If you wish to restore previous versions of keys with the same OUID (where attributes have changed, for example), include the -replace option.

NOTE If you are restoring a V1 backup to a V1 partition, include -smkonly to restore the SMK only (see What are "pre-firmware 7.7.0", and V0, and V1 partitions? for more information). By default, the SMK and any cryptographic material on the backup are restored.

Restoring a Password-Authenticated Partition

You can restore the objects from a password-authenticated backup partition to a password-authenticated user partition. You can restore to an existing user partition, or you can create a new user partition and restore the objects to the new partition.

Summary

To restore the objects from a backup, you connect the backup HSM to the Luna HSM Client workstation that hosts the slot for the user partition you want to restore from backup and perform the following tasks.

1.Log in to the user partition you want to restore to as the Crypto Officer (CO):

2. Perform the restore operation. You are prompted for the HSM SO, partition SO (PO), crypto officer (CO), and domain passwords for the backup partition. The backup partition and the partition you want to restore to must be members of the same domain.

Prerequisites

>You have the credentials listed in the summary above.

>The following polices are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):

•HSM policy 16: Enable network replication must be set to 1 (ON) on the HSM that hosts the target user partition.

•[Pre-7.7.0 and V0 partitions only] Partition policy 0: Allow private key cloning must be set to 1 (ON) on the target user partition.

•[Pre-7.7.0 and V0 partitions only] Partition policy 4: Allow secret key cloning must be set to 1 (ON) on the target user partition.

To restore a password-authenticated partition

1.Configure your Luna HSM Client workstation as illustrated below:

a.Install the required client software on the Luna HSM Client workstation and start LunaCM. See Restoring From a Client-Connected Luna Backup HSM (G7) for more information.

b.Connect the backup HSM directly to the Luna HSM Client workstation using the included USB cable.

2.Ensure that HSM policy 16: Enable network replication is set to 1 on the HSM that hosts the user partition you want to restore to. See HSM Capabilities and Policies for more information.

3. Identify the slots assigned to:

• The user partition slot (to be restored).

•The backup HSM admin slot (where all backups are stored).

lunacm:> slot list

If you cannot see both slots, check your connections or configure your client as required.

4.Select the user partition you want to restore to:

lunacm:> slot set -slot <slot_id>

5.Log in to the user partition as the Crypto Officer (CO):

lunacm:> role login -name co

6.List the available backups on the Backup HSM by specifying the Backup HSM's slot number. You will require the backup partition label to perform the restore operation.

lunacm:> partition archive list -slot <backup_HSM_slot>

7.Initiate the restore operation. Respond to the prompts to provide the required passwords, as detailed in the summary above.

lunacm:> partition archive restore -slot <backup_HSM_admin_slot> -partition <backup_partition_label> [-replace] [-smkonly]