You can connect the Luna Backup HSM 7 to a USB port on the Luna Network HSM 7 appliance. This configuration allows you to perform backup/restore operations for all application partitions on that HSM. You can restore a partition backup to the original source partition or to another existing Luna application partition that shares the same cloning domain.
NOTE If you require the Luna Backup HSM 7 to be FIPS-compliant, you must complete an additional configuration step after initialization that requires LunaCM on a Luna HSM Client computer. For this reason, Thales recommends using the procedure for Backup/Restore Using Client-Connected Luna Backup HSM 7 v1 instead.
This functionality requires minimum Luna Appliance Software 7.7.0. If you are using an older appliance software version, you must connect the Luna Backup HSM 7 to a client workstation with Luna HSM Client 10.1.0 or newer.
This section provides instructions for the following procedures using this kind of deployment:
>Recovering the Luna Backup HSM 7 from Secure Transport Mode
Procedures for multifactor quorum-authenticated partitions:
>Initializing the Luna Backup HSM 7 for Multifactor Quorum Authentication
>Configuring the Luna Backup HSM 7 for FIPS Compliance
>Backing Up a Multifactor Quorum-Authenticated Partition
>Restoring a Multifactor Quorum-Authenticated Partition From Backup
Procedures for password-authenticated partitions:
>Initializing a Luna Backup HSM 7 for Password Authentication
>Configuring the Luna Backup HSM 7 for FIPS Compliance
>Backing Up a Password-Authenticated Partition
>Restoring a Password-Authenticated Partition From Backup
NOTE To perform backup operations on Luna HSM Firmware 7.7.0 or newer (V0 or V1 partitions) you require at minimum:
>Luna Backup HSM 7 Firmware 7.7.1
>Luna Backup HSM G5 Firmware 6.28.0
You can use a Luna Backup HSM with older firmware to restore objects to a V0 or V1 partition, but this is supported for purposes of getting your objects from the older partitions onto the newer V0 or V1 partitions only. V0 and V1 partitions are considered more secure than partitions at earlier firmware versions - any attempt to restore from a higher-security status to lower-security status fails gracefully.
When the Luna Backup HSM is connected directly to the Luna Network HSM 7 appliance, only the SMK can be backed up from or restored to a V1 partition.
Recovering the Luna Backup HSM 7 from Secure Transport Mode
The Luna Backup HSM 7 is shipped in Secure Transport Mode (STM). STM provides a logical check on the firmware and critical security parameters (such as configuration, keys, policies, roles, etc.) so that the authorized recipient can determine if these have been altered while the HSM was in transit. For a more detailed description of STM, see Secure Transport Mode.
NOTE Recovering the Luna Backup HSM 7 from STM requires connecting it to a client workstation running Luna HSM Client 10.1.0 or newer. This operation is not possible while the Backup HSM is connected to the Luna Network HSM 7 appliance.
To recover the Luna Backup HSM 7 from STM
1.Connect the Luna Backup HSM 7 to a USB port on a client workstation running Luna HSM Client 10.1.0 or newer, with the Backup option installed (refer to Luna HSM Client Software Installation for your client operating system).
2.Launch LunaCM on the client workstation.
3. Select the slot assigned to the Luna Backup HSM 7 Admin partition.
lunacm:> slot set -slot <slot_id>
4.Recover the HSM from Secure Transport Mode. See Secure Transport Mode for more information about the Random User String:
lunacm:> stm recover -randomuserstring <string>
NOTE Recovering a Luna Backup HSM 7 from STM may take up to three minutes.
Initializing the Luna Backup HSM 7 for Multifactor Quorum Authentication
You must initialize theLuna Backup HSM 7 prior to first use. You can initialize the backup HSM by connecting it to a Luna Network HSM 7 and using LunaSH commands to perform the initialization. The procedure below does the following:
>Creates the orange (Remote PED vector) PED key for the backup HSM. You create the orange key using a one-time, password-secured connection between the PED and the backup HSM. You then use this orange key to secure all subsequent connections between the PED and the backup HSM.
>Sets the authentication mode of the HSM to multifactor quorum authentication. The authentication mode is set automatically to the same mode as the Luna Network HSM 7 the backup HSM is connected to when it is initialized.
>Sets the security domain of the Backup HSM.
>Creates the HSM SO role on the HSM (see HSM Roles.) This role is required to create or modify a backup partition, and must be logged in to perform a backup.
NOTE This functionality requires minimum Luna Appliance Software 7.7.0. If you are using an older appliance software version, you must connect the Luna Backup HSM 7 to a client workstation with Luna HSM Client 10.1.0 or newer.
Prerequisites
>If necessary, recover the Luna Backup HSM 7 from Secure Transport Mode as described in Recovering the Luna Backup HSM 7 from Secure Transport Mode.
>Before beginning, ensure that you are familiar with the concepts in Multifactor Quorum Authentication. You will need the following PED keys:
•A blank Remote PED Vector (orange) PED key, plus the number required to create duplicate PED keys as necessary.
CAUTION! Always make copies of your orange PED keys, or declare MofN as one-of-several, and store at least one safely. For the Luna Backup HSM 7, the orange PED key is as important as the HSM SO blue key or the Domain red key (this contrasts with other Luna HSMs, where a lost or damaged orange key can be easily replaced via a local PED connection).
A Remote PED Vector (RPV), on an orange PED key or on an associated HSM, is not a role; it is required to set up the secure tunnel for Remote PED operation.
When used with a multifactor quorum-authenticated Luna Backup HSM 7, the PED always connects remotely. The single USB port on the Backup HSM is for the connection to a Client computer - the PED is never connected locally/directly to the Luna Backup HSM 7. Therefore, losing the orange PED key RPK for that Luna Backup HSM 7, without access to a copy, would mean losing the material backed-up on that Backup HSM.
•N number of HSM SO (blue) PED keys, as defined by the M of N scheme you choose for the HSM SO role, plus the number required to create duplicate PED keys as necessary.
•Blank or reused Domain (red) PED key(s).
>[Luna Backup HSM 7 Firmware 7.7.1 and newer only] Set the value of -pedwritedelay to 2000 to avoid experiencing frequent CKR_CALLBACK_ERRORS, which will prevent you from completing the procedure below.
To initialize a Luna Backup HSM 7 for multifactor quorum authentication
1.Configure your multifactor quorum-authenticated Luna Network HSM 7 using one of the following configurations:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to one of the USB ports on the Luna Network HSM 7 appliance using the included USB cable.
NOTE The Luna Backup HSM 7 must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna Network HSM 7 USB connection provides adequate power, and connecting the provided power supply is not recommended.
c.Get the serial number of the backup HSM, or read the serial number from the Backup HSM display screen.
lunash:> token backup list
d.Connect the Remote PED to the Luna Network HSM 7 appliance. You can connect a Remote PED directly to the Luna Network HSM 7 appliance using the included USB cable, or you can connect to a network-attached Luna HSM Client workstation that hosts a remote PED.
NOTE The Luna PED must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna PED must be set to Remote PED mode (see Modes of Operation).
–If you connect the Remote PED directly to a USB port on the appliance, use the appliance loopback IP address (127.0.0.1) to connect to the local pedserver service running on the appliance, and specify the serial number of the connected backup HSM you want to use. You can read the serial number from the Backup HSM display screen. The pedserver service must be running on the appliance. You can use the lunash:> service commands to administer the service:
lunash:> hsm ped connect -ip 127.0.0.1 -serial <backup_hsm_serial_number>
NOTE A remote PED connected to the USB port on the appliance uses the appliance pedserver service. If the PED is not responding, use the lunash:> service commands to verify the service status and restart if necessary. The Luna PED must be in Remote mode.
–If you are using a network-attached Remote PED, connect to the IP address of the workstation used to host the Remote PED. This can be the same workstation you are using to host the LunaSH session, or a different workstation.
lunash:> hsm ped connect -ip <pedserver_host>
LunaSH generates and displays a one-time password that is used to set up a secure channel between the backup HSM and the PED, allowing you to securely initialize the Remote PED Vector (orange) PED key. Enter the displayed password on the PED when prompted to complete setup of the secure channel and respond to the prompts to create the Remote PED Vector (orange) PED key.
Please attend to the PED and enter following password: 94485995
2.Create Remote PED Vector (orange) PED key(s) for the backup HSM:
lunash:> hsm ped vector init -serial <backup_hsm_serial_number>
CAUTION! The orange PED key is required for all Luna Backup HSM 7 operations. If this key is lost, your backups will become irretrievable. Thales recommends keeping multiple backups of all PED keys stored in a secure location.
3.Initialize the backup HSM:
lunash:> token backup init -label <backup_hsm_label> -serial <backup_hsm_serial_number>
You are prompted by the Luna PED for the blue HSM SO key(s) and red Domain key(s). Respond to the PED prompts and insert and set the PINs on the required keys when requested. Ensure that you label any new PED keys that you create during this process.
4.Use the Duplicate function on the PED to create and label duplicates of the new PED keys, as required. See Duplicating Existing PED keys for details.
5.Disconnect the PED when done:
•If you connected the Remote PED directly to a USB port on the appliance:
lunash:> hsm ped disconnect -serial <backup_hsm_serial_number>
•If you connected to a network-attached Remote PED:
lunash:> hsm ped disconnect
Configuring the Luna Backup HSM 7 for FIPS Compliance
Luna Backup HSM 7 Firmware 7.7.1 and newer uses the same updated cloning protocol as Luna HSM Firmware 7.7.0 and newer. For the Luna Backup HSM 7 to be FIPS-compliant, it must restrict restore operations to application partitions that use the new protocol. This restriction is applied by setting HSM policy 55: Enable Restricted Restore to 1 on the backup HSM. The Luna Backup HSM 7 must be initialized and connected to a Luna HSM Client computer to set this policy.
When this policy is enabled on the Luna Backup HSM 7, objects that have been backed up from partitions using firmware older than Luna HSM Firmware 7.7.0 can be restored to Luna HSM Firmware 7.7.0 or newer (V0 or V1) partitions only.
CAUTION! FIPS compliance requires that objects are never cloned or restored to an HSM using less secure firmware, and this includes restoring from Luna Backup HSM 7 firmware.
If you have backups already stored on the Luna Backup HSM 7 that were taken from pre-7.7.0 partitions, turning this policy ON will prevent you from restoring them to the same source partition. You must update the HSM containing the source partition to Luna HSM Firmware 7.7.0 or newer before restoring from backup.
NOTE HSM policy 12: Allow non-FIPS algorithms, which is used to set FIPS-compliant mode on other Luna HSMs, does not apply to the Luna Backup HSM 7. Attempts to change this policy will fail with the error CKR_CANCEL.
To configure the Luna Backup HSM 7 for FIPS compliance
1.On the Luna HSM Client computer, run LunaCM.
2.Set the active slot to the Luna Backup HSM 7.
lunacm:> slot set -slot <slot_id>
3.Log in as Backup HSM SO.
lunacm:> role login -name so
4.Set HSM policy 55: Enable Restricted Restore to 1.
lunacm:> hsm changehsmpolicy -policy 55 -value 1
5.[Optional] Check that the Luna Backup HSM 7 is now in FIPS approved operation mode.
lunacm:> hsm showinfo
*** The HSM is in FIPS 140-2 approved operation mode. ***
Backing Up a Multifactor Quorum-Authenticated Partition
Backups are created and stored as partitions within the Admin partition on the backup HSM. A new backup partition is created on initial backup. For subsequent backups, you can choose to replace the contents of the existing backup partition with the current source partition objects, or add new objects in the source partition to the existing backup partition. Like all cloning operations, the source and target backup partitions must be initialized with the same domain.
In addition to the credentials listed in Credentials Required to Perform Backup and Restore Operations, the Crypto Officer requires admin-level access to the appliance to access the LunaSH partition backup and partition restore commands (see Appliance Users and Roles).
NOTE This functionality requires minimum Luna Appliance Software 7.7.0.
>If you are backing up or restoring encrypted blobs stored on a V1 partition, the Backup HSM must be connected to the client (see Backup/Restore Using Client-Connected Luna Backup HSM 7 v1). Only the SMK can be backed up/restored using an appliance-connected Backup HSM.
>If partition policy 37: Force Secure Trusted Channel is enabled on the partition, the Backup HSM must be connected to the client (see Backup/Restore Using Client-Connected Luna Backup HSM 7 v1).
Prerequisites
Before beginning, ensure that you have satisfied the following prerequisites:
>You are familiar with the concepts in Multifactor Quorum Authentication.
>You are able to log in to the Luna Network HSM 7 using an admin-level account to access LunaSH.
>The following policies are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):
•HSM policy 16: Enable network replication must be set to 1 (ON) on the HSM that hosts the user partition.
•[Pre-7.7.0 and V0 partitions only] Partition policy 0: Allow private key cloning is set to 1 (ON) on the user partition.
•[Pre-7.7.0 and V0 partitions only] Partition policy 4: Allow secret key cloning is set to 1 (ON) on the user partition.
>[Luna Backup HSM 7 Firmware 7.7.1 and newer only] Set the value of -pedwritedelay to 2000 to avoid experiencing frequent CKR_CALLBACK_ERRORS, which will prevent you from completing the procedure below.
>You have the required credentials:
If the source partition is not activated:
•The Remote PED Vector (orange) PED key(s) for the source HSM
•The Crypto Officer (black) PED key(s) for the source partition
TIP If the source partition is activated, only the source partition Crypto Officer's challenge secret is required. To simplify the backup process and minimize interactions with the PED, it is recommended that you activate the CO role on the user partitions you want to backup. See Activation on Multifactor Quorum-Authenticated Partitions for more information.
If you are creating a new backup partition:
•The Remote PED Vector (orange) PED key(s) for the Backup HSM
•New or reused Partition SO (blue) PED key(s) to initialize the backup partition
•New or reused Crypto Officer (black) PED key(s) to initialize the CO role on the backup partition
•The Domain (red) PED key(s) for the source partition, to initialize the domain on the backup
If you are backing up to an existing backup partition whose domain matches the source partition:
•The Remote PED Vector (orange) PED key(s) for the Backup HSM
•The existing Partition SO (blue) PED key(s) for the backup partition, to log in
•The existing Crypto Officer (black) PED key(s) for the backup partition
To back up a multifactor quorum-authenticated partition
1.Configure your Luna Network HSM 7 appliance using one of the following configurations:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to one of the USB ports on the Luna Network HSM 7 appliance using the included USB cable.
NOTE The Luna Backup HSM 7 must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna Network HSM 7 USB connection provides adequate power, and connecting the provided power supply is not recommended.
c.Get the serial number of the backup HSM, or read the serial number from the backup HSM display screen.
lunash:> token backup list
d.Connect the Remote PED to the Luna Network HSM 7 appliance. You can connect a Remote PED directly to the Luna Network HSM 7 appliance using the included USB cable, or you can connect to a network-attached Luna HSM Client workstation that hosts a remote PED:
NOTE The Luna PED must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna PED must be set to Remote PED mode (see Modes of Operation).
–If you connect the Remote PED directly to a USB port on the appliance, use the appliance loopback IP address (127.0.0.1) to connect to the local pedserver service running on the appliance, and specify the serial number of the connected backup HSM you want to use:
lunash:> hsm ped connect -ip 127.0.0.1 -serial <backup_hsm_serial_number>
NOTE A remote PED connected to the USB port on the appliance uses the appliance pedserver service. If the PED is not responding, use the lunash:> service commands to verify the service status and restart if necessary. The Luna PED must be in Remote mode.
–If you are using a network-attached Remote PED, connect to the IP address of the workstation used to host the Remote PED. This can be the same workstation you are using to host the LunaSH session, or a different workstation.
lunash:> hsm ped connect -ip <remote_ped_host_ip_address>
Respond to the prompts on the PED to insert the Backup HSM's orange PED key.
2.Display a list of application partitions; you require the label for the partition you are backing up.
lunash:> partition list
3.If you plan to back up to an existing partition on the Backup HSM, display a list of the existing backups.
lunash:> token backup partition list -serial <backup_hsm_serial_number>
4. Initiate the backup operation:
lunash:> partition backup -partition <source_partition_label> -serial <backup_hsm_serial_number> [-tokenpar <target_backup_partition_label>] [-add | -replace]
NOTE You must specify -add or -replace when backing up to an existing backup partition. Use -add to add only new objects. Use -replace to erase the contents of the existing backup and replace them with the contents of the source partition. You do not need to specify these options when backing up a V1 partition, as only the SMK is backed up.
If you omit the -tokenpar option when creating a new backup, the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>) based on the source HSM's internally-set time and date.
If the backup operation is interrupted (if the Backup HSM is unplugged, or if you fail to respond to PED prompts, for example), the Backup HSM's full available space can become occupied with a single backup partition. If this occurs, delete the backup partition with lunash:> token backup partition delete before reattempting the backup operation.
5.Respond to the prompts on the PED to insert the following keys in the following order:
If the source partition is not activated:
i.The Remote PED Vector (orange) PED key(s) for the source HSM
ii.The Crypto Officer (black) PED key(s) for the source partition
iii.The Remote PED Vector (orange) PED key(s) for the Backup HSM
NOTE If the source partition is activated, you are prompted in LunaSH for the challenge secret only, and you do not need to switch the Remote PED connection between the source and backup HSMs.
If you are creating a new backup partition:
i.New or reused Partition SO (blue) PED key(s) to initialize the backup partition
ii.The Partition SO (blue) PED key(s) you just created for the backup partition, to log in
iii.New or reused Crypto Officer (black) PED key(s) to initialize the CO role on the backup partition.
iv.The Domain (red) PED key(s) for the source partition, to initialize the domain on the backup.
v.The Crypto Officer (black) PED key(s) you just created for the backup partition, to log in
If you are backing up to an existing backup partition:
i.The existing Partition SO (blue) PED key(s) for the backup partition, to log in
ii.The existing Crypto Officer (black) PED key(s) for the backup partition
The backup begins once you have completed the authentication process. Objects are backed up one at a time.
6.Disconnect the PED when done:
•If you connected the Remote PED directly to a USB port on the appliance:
lunash:> hsm ped disconnect -serial <backup_hsm_serial_number>
•If you connected to a network-attached Remote PED:
lunash:> hsm ped disconnect
7.If this is the first backup to the backup partition, use the Duplicate function on the PED to create and label a set of backup keys for the new PO (blue) and CO (black) keys. See Duplicating Existing PED keys for details.
Restoring a Multifactor Quorum-Authenticated Partition From Backup
You can restore the objects from a multifactor quorum-authenticated backup partition to the same partition that was originally backed up, or to another partition that has been initialized with the same domain (red PED key).
Prerequisites
Before beginning, ensure that you have satisfied the following prerequisites:
>You are familiar with the concepts in Multifactor Quorum Authentication.
>You are able to log in to the Luna Network HSM 7 using an admin-level account to access LunaSH.
>The following policies are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):
•HSM policy 16: Enable network replication must be set to 1 (ON) on the HSM that hosts the user partition you want to restore to.
•[Pre-7.7.0 and V0 partitions only] Partition policy 0: Allow private key cloning must be set to 1 (ON) on the user partition you want to restore to.
•[Pre-7.7.0 and V0 partitions only] Partition policy 4: Allow secret key cloning must be set to 1 (ON) on the user partition you want to restore to.
>[Luna Backup HSM 7 Firmware 7.7.1 and newer only] Set the value of -pedwritedelay to 2000 to avoid experiencing frequent CKR_CALLBACK_ERRORS, which will prevent you from completing the procedure below.
>The target partition must be ready to accept keys from backup, meaning that it must be initialized using the same domain (red PED key) as the backup partition, the Crypto Officer role must be initialized and the CO role credential changed from its initial value.
TIP If the target partition is activated, only the Crypto Officer's challenge secret is required. To simplify the backup process and minimize interactions with the PED, it is recommended that you activate the CO role on the user partitions you want to restore from backup. See Activation on Multifactor Quorum-Authenticated Partitions for more information.
>If the target partition is not activated, you also require:
•The Remote PED Vector (orange) PED key(s) for the target HSM
•The Crypto Officer (black) PED key(s) for the target partition
To restore a multifactor quorum-authenticated partition from backup
1.Configure your Luna HSM Client workstation using one of the following configurations:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to one of the USB ports on the Luna Network HSM 7 appliance using the included USB cable.
NOTE The Luna Backup HSM 7 must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna Network HSM 7 USB connection provides adequate power, and connecting the provided power supply is not recommended.
c.Get the serial number of the backup HSM, or read the serial number from the backup HSM display screen.
lunash:> token backup list
d.Connect the Remote PED to the Luna Network HSM 7 appliance. You can connect a Remote PED directly to the Luna Network HSM 7 appliance using the included USB cable, or you can connect to a network-attached Luna HSM Client workstation that hosts a remote PED:
NOTE The Luna PED must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna PED must be set to Remote PED mode (see Modes of Operation).
–If you connect the Remote PED directly to a USB port on the appliance, use the appliance loopback IP address (127.0.0.1) to connect to the local pedserver service running on the appliance, and specify the serial number of the connected backup HSM you want to use:
lunash:> hsm ped connect -ip 127.0.0.1 -serial <backup_hsm_serial_number>
NOTE A remote PED connected to the USB port on the appliance uses the appliance pedserver service. If the PED is not responding, use the lunash:> service commands to verify the service status and restart if necessary. The Luna PED must be in Remote mode.
–If you are using a network-attached Remote PED, connect to the IP address of the workstation used to host the Remote PED. This can be the same workstation you are using to host the LunaSH session, or a different workstation.
lunash:> hsm ped connect -ip <remote_ped_host_ip_address>
Respond to the prompts on the PED to insert the Backup HSM's orange PED key(s).
2.Display a list of application partitions; you require the label for the partition you are restoring to.
lunash:> partition list
3.Display a list of the existing backups.
lunash:> token backup partition list -serial <backup_hsm_serial_number>
4. Initiate the restore operation:
lunash:> partition restore -partition <target_user_partition_label> -tokenpar <source_backup_partition_label> -serial <backup_hsm_serial_number> {-add | -replace}
Use the -add option to add only new objects, or the -replace option to erase the contents of the partition and replace them with the contents of the backup.
CAUTION! If you are restoring a V1 backup to a V1 partition, use -add to restore the SMK. Use -replace only if you wish to erase any existing cryptographic material on the target partition. By default, V1 backups only include the SMK.
5.If the target restore partition is activated, you are prompted for the Crypto Officer challenge secret. If the target partition is not activated, respond to the prompts on the PED to insert the following keys in the following order:
a.The Remote PED Vector (orange) PED key(s) for the target HSM
b.The Crypto Officer (black) PED key(s) for the target restore partition
c.The Remote PED Vector (orange) PED key(s) for the backup HSM
The restore operation begins once you have completed the authentication process. Objects are restored one at a time.
6.Disconnect the PED when done:
•If you connected the Remote PED directly to a USB port on the appliance:
lunash:> hsm ped disconnect -serial <backup_hsm_serial_number>
•If you connected to a network-attached Remote PED:
lunash:> hsm ped disconnect
Initializing a Luna Backup HSM 7 for Password Authentication
Initializing your backup HSM as password-authenticated allows you to back up password-authenticated partitions. The procedure below does the following:
>Sets the authentication mode of the HSM to password authentication. The authentication mode is set automatically to the same mode as the Luna Network HSM 7 the backup HSM is connected to when it is initialized.
>Sets the security domain of the Backup HSM.
>Creates the HSM SO role on the HSM (see HSM Roles). This role is required to create or modify a backup partition, and must be logged in to perform a backup.
NOTE This functionality requires minimum Luna Appliance Software 7.7.0. If you are using an older appliance software version, you must connect the Luna Backup HSM 7 to a client workstation with Luna HSM Client 10.1.0 or newer.
Prerequisites
>If necessary, recover the Luna Backup HSM 7 from Secure Transport Mode as described in Recovering the Luna Backup HSM 7 from Secure Transport Mode.
To initialize a password-authenticated HSM
1.Configure your password-authenticated Luna Network HSM 7 as illustrated below:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to the Luna Network HSM 7 using the included USB cable.
NOTE The Luna Backup HSM 7 must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna Network HSM 7 USB connection provides adequate power, and connecting the provided power supply is not recommended.
2.Get the serial number of the backup HSM, or read the serial number from the Backup HSM display screen.
lunash:> token backup list
3.Initialize the backup HSM:
lunash:> token backup init -label <backup_hsm_label> -serial <backup_hsm_serial_number>
You are prompted to set a new HSM SO password and the HSM domain string (existing or new).
Configuring the Luna Backup HSM 7 for FIPS Compliance
Luna Backup HSM 7 Firmware 7.7.1 and newer uses the same updated cloning protocol as Luna HSM Firmware 7.7.0 and newer. For the Luna Backup HSM 7 to be FIPS-compliant, it must restrict restore operations to application partitions that use the new protocol. This restriction is applied by setting HSM policy 55: Enable Restricted Restore to 1 on the backup HSM. The Luna Backup HSM 7 must be initialized and connected to a Luna HSM Client computer to set this policy.
When this policy is enabled on the Luna Backup HSM 7, objects that have been backed up from partitions using firmware older than Luna HSM Firmware 7.7.0 can be restored to Luna HSM Firmware 7.7.0 or newer (V0 or V1) partitions only.
CAUTION! FIPS compliance requires that objects are never cloned or restored to an HSM using less secure firmware, and this includes restoring from Luna Backup HSM 7 firmware.
If you have backups already stored on the Luna Backup HSM 7 that were taken from pre-7.7.0 partitions, turning this policy ON will prevent you from restoring them to the same source partition. You must update the HSM containing the source partition to Luna HSM Firmware 7.7.0 or newer before restoring from backup.
NOTE HSM policy 12: Allow non-FIPS algorithms, which is used to set FIPS-compliant mode on other Luna HSMs, does not apply to the Luna Backup HSM 7. Attempts to change this policy will fail with the error CKR_CANCEL.
To configure the Luna Backup HSM 7 for FIPS compliance
1.On the Luna HSM Client computer, run LunaCM.
2.Set the active slot to the Luna Backup HSM 7.
lunacm:> slot set -slot <slot_id>
3.Log in as Backup HSM SO.
lunacm:> role login -name so
4.Set HSM policy 55: Enable Restricted Restore to 1.
lunacm:> hsm changehsmpolicy -policy 55 -value 1
5.[Optional] Check that the Luna Backup HSM 7 is now in FIPS approved operation mode.
lunacm:> hsm showinfo
*** The HSM is in FIPS 140-2 approved operation mode. ***
Backing Up a Password-Authenticated Partition
Backups are created and stored as partitions within the Admin partition on the backup HSM. A new backup partition is created on initial backup. For subsequent backups, you can choose to replace the contents of the existing backup partition with the current source partition objects, or add new objects in the source partition to the existing backup partition. Like all cloning operations, the source and target backup partitions must be initialized with the same domain.
In addition to the credentials listed in Credentials Required to Perform Backup and Restore Operations, the Crypto Officer requires admin-level access to the appliance to access the LunaSH partition backup and partition restore commands (see Appliance Users and Roles).
NOTE This functionality requires minimum Luna appliance software 7.7.0.
>If you are backing up or restoring encrypted blobs stored on a V1 partition, the Backup HSM must be connected to the client (see Backup/Restore Using Client-Connected Luna Backup HSM 7 v1). Only the SMK can be backed up/restored using an appliance-connected Backup HSM.
>If partition policy 37: Force Secure Trusted Channel is enabled on the partition, the Backup HSM must be connected to the client (see Backup/Restore Using Client-Connected Luna Backup HSM 7 v1).
Prerequisites
Before beginning, ensure that you have satisfied the following prerequisites:
>You are able to log in to the Luna Network HSM 7 using an admin-level account to access LunaSH.
>You have the required credentials:
•The Crypto Officer password for the source partition
•The HSM SO password for the backup HSM
•The Domain string for the source partition
>The following policies are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):
•HSM policy 16: Enable network replication must be set to 1 (ON) on the HSM that hosts the user partition.
•[Pre-7.7.0 and V0 partitions only] Partition policy 0: Allow private key cloning is set to 1 (ON) on the user partition.
•[Pre-7.7.0 and V0 partitions only] Partition policy 4: Allow secret key cloning is set to 1 (ON) on the user partition.
To back up a password-authenticated partition
1.Configure your Luna Network HSM 7 as illustrated below:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to the Luna Network HSM 7 using the included USB cable.
NOTE The Luna Backup HSM 7 must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna Network HSM 7 USB connection provides adequate power, and connecting the provided power supply is not recommended.
2.Get the serial number of the backup HSM, or read the serial number from the Backup HSM display screen.
lunash:> token backup list
3.Display a list of application partitions; you require the label for the partition you are backing up.
lunash:> partition list
4.If you plan to back up to an existing partition on the Backup HSM, display a list of the existing backups.
lunash:> token backup partition list -serial <backup_hsm_serial_number>
5.Initiate the backup operation:
lunash:> partition backup -partition <source_partition_label> -serial <backup_hsm_serial_number> [-tokenpar <target_backup_partition_label>] [-add | -replace]
NOTE You must specify -add or -replace when backing up to an existing backup partition. Use -add to add only new objects. Use -replace to add new objects and overwrite existing objects. You do not need to specify these options when backing up a V1 partition, as only the SMK is backed up.
If you omit the -tokenpar option when creating a new backup, the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>) based on the source HSM's internally-set time and date.
If the backup operation is interrupted (if the Backup HSM is unplugged, for example), the Backup HSM's full available space can become occupied with a single backup partition. If this occurs, delete the backup partition with lunash:> token backup partition delete before reattempting the backup operation.
6.Respond to the prompts for the following passwords:
a.The Crypto Officer password for the source partition
b.The HSM SO password for the backup HSM
c.If you are creating a new backup, you must provide the domain string for the source partition -- it is used to initialize the new backup partition so that objects can be cloned. If your target is an existing backup partition, the operation will proceed only if the domains match.
The backup begins once you have completed the authentication process. Objects are backed up one at a time.
Restoring a Password-Authenticated Partition From Backup
You can restore the objects from a multifactor quorum-authenticated backup partition to the same partition that was originally backed up, or to another partition that has been initialized with the same domain string.
Prerequisites
Before beginning, ensure that you have satisfied the following prerequisites:
>You have the required credentials:
•The Crypto Officer password for the target partition
•The Crypto Officer password for the backup partition
>The target partition must be initialized with the same domain string as the backup partition.
>You are able to log in to the Luna Network HSM 7 appliance using an admin-level account to access LunaSH.
>[Pre-7.7.0 and V0 partitions only] The following policies are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):
•HSM policy 16: Enable network replication must be set to 1 (ON) on the HSM that hosts the user partition you want to restore to.
•Partition policy 0: Allow private key cloning must be set to 1 (ON) on the user partition you want to restore to.
•Partition policy 4: Allow secret key cloning must be set to 1 (ON) on the user partition you want to restore to.
To restore a password-authenticated partition
1.Configure your Luna Network HSM 7 as illustrated below:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to the Luna Network HSM 7 using the included USB cable.
NOTE The Luna Backup HSM 7 must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna Network HSM 7 USB connection provides adequate power, and connecting the provided power supply is not recommended.
2.Display a list of application partitions; you require the label for the partition you are restoring to.
lunash:> partition list
3.Display a list of the existing backups.
lunash:> token backup partition list -serial <backup_hsm_serial_number>
4.Initiate the restore operation:
lunash:> partition restore -partition <target_user_partition_label> -tokenpar <backup_partition_label> -serial <backup_hsm_serial_number> {-add | -replace}
Use the -add option to add only new objects, or the -replace option to add new objects and overwrite existing objects.
CAUTION! If you are restoring a V1 backup to a V1 partition, use -add to restore the SMK. Use -replace only if you wish to erase any existing cryptographic material on the target partition. By default, V1 backups only include the SMK.
5.Respond to the prompts for the following passwords:
a.The Crypto Officer password for the target partition
b.The Crypto Officer password for the backup partition
The restore operation begins once you have completed the authentication process. Objects are restored one at a time.
