Backup/Restore Using Appliance-Connected Luna Backup HSM G5
You can connect theLuna Backup HSM G5 directly to one of the USB ports on the Luna Network HSM 7 appliance. This configuration allows you to perform backup/restore operations using LunaSH, via a serial or SSH connection to the appliance. It is useful in deployments where backups are kept in the same location as the HSM. The Crypto Officer must have admin-level access to LunaSH on the appliance. You can restore a partition backup to the original source partition or to another existing Luna application partition that shares the same cloning domain.
NOTE Please note the following conditions for using an appliance-connected Luna Backup HSM G5:
>If you are backing up or restoring encrypted blobs stored on a V1 partition, the Backup HSM must be connected to the client (see Backup/Restore Using Client-Connected Luna Backup HSM G5)
Only the SMK can be backed up/restored using an appliance-connected backup HSM.
>If partition policy 37: Force Secure Trusted Channel is enabled on the partition, the backup HSM must be connected to the client (see Backup/Restore Using Client-Connected Luna Backup HSM G5)
>You can use an appliance-connected Backup HSM with Remote PED only if the source partition is activated (Activation on Multifactor Quorum-Authenticated Partitions) and Luna Appliance Software 7.7.0 or newer is installed.
This section provides instructions for the following procedures using this kind of deployment:
>Initializing the Luna Backup HSM G5
>Backing Up an Application Partition
>Restoring an Application Partition from Backup
NOTE To perform backup operations on Luna HSM Firmware 7.7.0 or newer (V0 or V1 partitions) you require at minimum:
>Luna Backup HSM 7 Firmware 7.7.1
>Luna Backup HSM G5 Firmware 6.28.0
You can use a Luna Backup HSM with older firmware to restore objects to a V0 or V1 partition, but this is supported for purposes of getting your objects from the older partitions onto the newer V0 or V1 partitions only. V0 and V1 partitions are considered more secure than partitions at earlier firmware versions - any attempt to restore from a higher-security status to lower-security status fails gracefully.
When the Luna Backup HSM is connected directly to the Luna Network HSM 7 appliance, only the SMK can be backed up from or restored to a V1 partition.
NOTE The size of the partition header is different for a Luna Network HSM 7 partition and its equivalent backup partition stored on a Luna Backup HSM G5. As a result, the value displayed in the Used column in the output of the partition list command (for the backed-up Luna Network HSM 7 partition) is different than the value displayed in the Used column in the output of the token backup partition list command (for the backup partition on the Backup HSM).
Initializing the Luna Backup HSM G5
Before you can use the Luna Backup HSM G5 to back up your partition objects, it must be initialized. This procedure is analogous to the standard HSM initialization procedure.
Prerequisites
>Install the Luna Backup HSM G5 and connect it to power (see Installing the Luna Backup HSM G5).
>Ensure that the Luna Backup HSM G5 is not in Secure Transport Mode and that any tamper events are cleared (see Recovering From a Tamper Event or Secure Transport Mode).
>[PED Authentication] Ensure that you have enough blank or rewritable blue and red PED keys available for your desired authentication scheme (see Creating PED keys).
>[Local PED] Connect the PED using a 9-pin Micro-D to Micro-D cable. Set the PED to Local PED-SCP mode (see Modes of Operation).
To initialize an appliance-connected Luna Backup HSM G5 using LunaSH
1.Log in to LunaSH as admin, or an admin-level custom user.
2.[Optional] View the Luna Backup HSM G5s currently connected to the appliance and find the correct serial number.
lunash:> token backup list
3.Initialize the Backup HSM by specifying its serial number and a label.
lunash:> token backup init -serial <serialnum> -label <label>
You are prompted to set the HSM SO credential and cloning domain for the Luna Backup HSM G5.
Backing Up an Application Partition
You can use LunaSH to back up the contents of an application partition to the appliance-connected Luna Backup HSM G5. You can use this operation to create a backup on the Backup HSM, or add objects from the source partition to an existing backup.
Prerequisites
>The Luna Backup HSM G5 must be initialized (see Initializing the Luna Backup HSM G5).
>You must have admin or admin-level access to LunaSH on the Luna Network HSM 7.
>The following policies are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):
•HSM policy 16: Enable network replication must be set to 1 (ON) on the HSM that hosts the source partition.
•Partition policy 0: Allow private key cloning must be set to 1 (ON) on the source partition.
•Partition policy 4: Allow secret key cloning must be set to 1 (ON) on the source partition.
>You must have the Crypto Officer credential
>[Local PED] Connect the PED to the Luna Network HSM 7 using a Mini-B to USB-A cable (see Local PED Setup), and to the Backup HSM using a 9-pin Micro-D to Micro-D cable. Set the PED to Local PED-USB mode (see Modes of Operation).
>[Remote PED] The source partition must be activated (see Activation on Multifactor Quorum-Authenticated Partitions).
>[Remote PED] Set up a Remote PED server to authenticate the Backup HSM (see About Remote PED).
>[Remote PED] You require the orange PED key for the Backup HSM, which must be initialized using a local PED connection (see Initializing the Luna Backup HSM G5 Remote PED Vector).
To back up an application partition to an appliance-connected Luna Backup HSM G5 using LunaSH
1.Log in to LunaSH as admin, or an admin-level custom user.
2.[Remote PED] Connect the Luna Backup HSM G5 to the remote PED server.
lunash:> hsm ped connect -ip <PEDserver_IP> -serial <Backup_HSM_serialnum>
3.[Optional] View the Luna Backup HSM G5s currently connected to the appliance and find the correct serial number.
lunash:> token backup list
4.Back up the partition, specifying the source partition label, a label for the backup (either a new or existing label), and the Luna Backup HSM G5 serial number. If you specify an existing backup, use one of the following options:
•-add to keep the existing partition contents and add new objects only
•-replace to erase the contents of the existing backup and replace them with the contents of the source partition
You do not need to specify these options when backing up a V1 partition, as only the SMK is backed up.
If you omit the -tokenpar option when creating a new backup, the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>) based on the source HSM's internally-set time and date.
lunash:> partition backup -partition <source_label> -serial <Backup_HSM_serialnum> [-tokenpar <target_label>] [-add] [-replace]
You are prompted for the source partition's Crypto Officer credential
[Remote PED] You are prompted for a Crypto Officer credential for the backup (black PED key) and for the cloning domain that matches the source partition (red PED key). If you are adding to an existing backup, you are not asked for the cloning domain.
5.[Local PED] LunaSH prompts you to connect the Luna PED to the Luna Backup HSM G5. Set the mode on the Luna PED to Local PED-SCP (see Modes of Operation). Enter proceed in LunaSH.
You are prompted to set the following credentials:
•Crypto Officer (password or black PED key) for the backup (can be the same as the source partition)
•Cloning domain (string or red PED key) for the backup (must be the same as the source partition)
The partition contents are cloned to the backup.
Restoring an Application Partition from Backup
You can use LunaSH to restore the contents of a backup to the original application partition, or any other Luna application partition that shares the same cloning domain.
Prerequisites
>The target partition must be initialized with the same cloning domain as the backup.
>You must have admin or admin-level access to LunaSH on the Luna Network HSM 7.
>The following policies are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):
•HSM policy 16: Enable network replication must be set to 1 (ON) on the HSM that hosts the target partition.
•Partition policy 0: Allow private key cloning must be set to 1 (ON) on the target partition.
•Partition policy 4: Allow secret key cloning must be set to 1 (ON) on the target partition.
>You must have the Crypto Officer credentials
>[Local PED] Connect the PED to the Luna Network HSM 7 using a Mini-B to USB-A cable (see Local PED Setup), and to the Backup HSM using a 9-pin Micro-D to Micro-D cable. Set the PED to Local PED-USB mode (see Modes of Operation).
>[Remote PED] The source partition must be activated (see Activation on Multifactor Quorum-Authenticated Partitions).
>[Remote PED] Set up a Remote PED server to authenticate the Backup HSM (see About Remote PED). You require the orange PED key for the Backup HSM.
To restore the contents of a backup to an application partition
1.Log in to LunaSH as admin, or an admin-level custom user.
2.[Remote PED] Connect the Luna Backup HSM G5 to the remote PED server.
lunash:> hsm ped connect -ip <PEDserver_IP> -serial <Backup_HSM_serialnum>
3.[Optional] View the Luna Backup HSM G5s currently connected to the appliance and find the correct serial number.
lunash:> token backup list
4.[Optional] View the backups currently available on the Luna Backup HSM G5.
lunash:> token backup partition list -serial <Backup_HSM_serialnum>
5.Restore the partition contents, specifying the target partition label, the backup label, the Luna Backup HSM G5 serial number, and either:
•-add to keep the existing partition contents and add new objects only
•-replace to erase the contents of the partition and replace them with the contents of the backup
CAUTION! If you are restoring a V1 backup to a V1 partition, use -add to restore the SMK. Use -replace only if you wish to erase any existing cryptographic material on the target partition. By default, V1 backups only include the SMK.
lunash:> partition restore -partition <target_label> -tokenpar <backup_label> -serial <Backup_HSM_serialnum> {-add | -replace}
You are prompted for the target partition's Crypto Officer credential
6.[Local PED] LunaSH prompts you to connect the Luna PED to the Luna Backup HSM G5. Change the mode on the Luna PED to Local PED-SCP (see Modes of Operation). Enter proceed in LunaSH.
You are prompted for the backup's Crypto Officer credential
The backup contents are cloned to the application partition.
