Luna Backup HSM 7 Connected to Luna Network HSM 7 Using Direct Multifactor Quorum Authentication
In this configuration, you connect the Luna Backup HSM 7 to a USB port on the Luna Network HSM 7 appliance, and insert PED keys directly into the Luna Backup HSM 7. This allows you to perform backup/restore operations for all application partitions on that HSM. You can restore a partition backup to the original source partition or to another existing Luna application partition that shares the same cloning domain. To use this method, you require:
>Luna Appliance Software 7.8.4 or newer installed on the Luna Network HSM 7
NOTE
>The Luna Backup HSM 7 is shipped in Secure Transport Mode, and must be recovered from STM before first use. STM recovery requires LunaCM on a Luna HSM Client.
See Recovering the Luna Backup HSM 7 from Secure Transport Mode.
>If you require the Luna Backup HSM 7 to be FIPS-compliant, you must complete an additional configuration step after initialization that requires LunaCM on a Luna HSM Client computer (see Configuring the Luna Backup HSM 7 for FIPS Compliance). Therefore, it may be simpler to initialize the Luna Backup HSM 7 at the client instead of using the initialization procedure below.
>If you are backing up or restoring encrypted blobs stored on a V1 partition, the Backup HSM must be connected to the client. Only the SMK can be backed up/restored using an appliance-connected Backup HSM.
>If Secure Trusted Channel is enabled on the partition, the Backup HSM must be connected to the client.
See Luna Backup HSM 7 Connected to Luna HSM Client Using Direct Multifactor Quorum Authentication.
This section provides instructions for the following procedures:
>Initializing the Luna Backup HSM 7 for Multifactor Quorum Authentication
>Backing Up a Multifactor Quorum-Authenticated Partition
>Restoring a Multifactor Quorum-Authenticated Partition From Backup
Initializing the Luna Backup HSM 7 for Multifactor Quorum Authentication
You must initialize the Luna Backup HSM 7 prior to first use. You can initialize the backup HSM by connecting it to a Luna Network HSM 7 and using LunaSH commands to perform the initialization.
Prerequisites
>If necessary, recover the Luna Backup HSM 7 from Secure Transport Mode (see Recovering the Luna Backup HSM 7 from Secure Transport Mode).
>Ensure that you are familiar with the concepts in Multifactor Quorum Authentication. You will need the following PED keys:
•N number of HSM SO (blue) PED keys, as defined by the M of N scheme you choose for the HSM SO role, plus the number required to create duplicate PED keys as necessary.
•Blank or reused Domain (red) PED key(s).
NOTE Whenever the Luna Backup HSM 7 prompts you to insert an PED key, use the USB-C adapter in the USB port on the right side of the Luna Backup HSM 7:
To initialize the Luna Backup HSM 7 for multifactor quorum authentication
1.Connect your Luna Backup HSM 7 to a USB port on the Luna Network HSM 7:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to one of the USB ports on the Luna Network HSM 7 appliance using the included USB cable.
NOTE The Luna Backup HSM 7 must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna Network HSM 7 USB connection provides adequate power, and connecting the provided power supply is not recommended.
2.Get the serial number of the backup HSM, or read the serial number from the Backup HSM display screen.
lunash:> token backup list
3.Initialize the backup HSM:
lunash:> token backup init -label <backup_hsm_label> -serial <backup_hsm_serial_number>
You are prompted on the Luna Backup HSM 7 touchscreen to insert the blue HSM SO key(s) and red Domain key(s). Respond to the prompts and set the PINs on the required keys when requested. Ensure that you label any new PED keys that you create during this process.
NOTE If your organization requires FIPS compliance, there is an additional procedure you must complete before using the Luna Backup HSM 7 to back up partitions. Refer to Configuring the Luna Backup HSM 7 for FIPS Compliance.
Backing Up a Multifactor Quorum-Authenticated Partition
Backups are created and stored as partitions within the Admin partition on the Luna Backup HSM 7. A new backup partition is created on initial backup. For subsequent backups, you can choose to replace the contents of the existing backup partition with the current source partition objects, or add new objects in the source partition to the existing backup partition. Like all cloning operations, the source and target backup partitions must be initialized with the same domain.
In addition to the credentials listed in Credentials Required to Perform Backup and Restore Operations, the Crypto Officer requires admin-level access to the appliance to access the LunaSH partition backup and partition restore commands (see Appliance Users and Roles).
Prerequisites
Before you begin, ensure that you have satisfied the following prerequisites:
>You are able to log in to the Luna Network HSM 7 using an admin-level account to access LunaSH.
>You have the required credentials:
If you are creating a new backup partition:
•New or reused Partition SO (blue) PED key(s) to initialize the backup partition
•New or reused Crypto Officer (black) PED key(s) to initialize the CO role on the backup partition
•The Domain (red) PED key(s) for the source partition, to initialize the domain on the backup
If you are backing up to an existing backup partition whose domain matches the source partition:
•The existing Partition SO (blue) PED key(s) for the backup partition, to log in
•The existing Crypto Officer (black) PED key(s) for the backup partition
TIP If the source partition is activated, only the source partition Crypto Officer's challenge secret is required. To simplify the backup process and minimize interactions with the PED, it is recommended that you activate the CO role on the user partitions you want to back up. See Activation on Multifactor Quorum-Authenticated Partitions for more information.
If the source partition is not activated, you also need:
•[Remote PED authentication] The Remote PED Vector (orange) PED key(s) for the source HSM
•The Crypto Officer (black) PED key(s) for the source partition
NOTE Whenever the Luna Backup HSM 7 prompts you to insert an PED key, use the USB-C adapter in the USB port on the right side of the Luna Backup HSM 7:
>The following policies are set:
•HSM policy 16: Allow network replication must be set to 1 (ON) on the HSM that hosts the user partition.
•[V0 partitions or firmware older than Luna HSM Firmware 7.7.0] Partition policy 0: Allow private key cloning is set to 1 (ON) on the user partition.
•[V0 partitions or firmware older than Luna HSM Firmware 7.7.0] Partition policy 4: Allow secret key cloning is set to 1 (ON) on the user partition.
To back up a multifactor quorum-authenticated partition
1.Configure your Luna Network HSM 7 appliance using one of the following configurations:
•Activated source partition:
•Non-activated source partition:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to one of the USB ports on the Luna Network HSM 7 appliance using the included USB cable.
NOTE The Luna Backup HSM 7 must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna Network HSM 7 USB connection provides adequate power, and connecting the provided power supply is not recommended.
c.[Non-activated source partition] Connect the Luna Network HSM 7 appliance to a Luna PED, using a local or remote connection:
–[Local PED] Connect the Luna PED to the USB port on the HSM card:
–[Remote PED] Connect the Luna Network HSM 7 appliance to the Remote PED server (see Opening a Remote PED Connection):
lunash:> hsm ped connect -ip <remote_ped_host_ip_address>
2.Get the serial number of the backup HSM, or read the serial number from the backup HSM display screen.
lunash:> token backup list
3.Display a list of application partitions; you require the label for the partition you are backing up.
lunash:> partition list
4.If you plan to back up to an existing partition on the Backup HSM, display a list of the existing backups.
lunash:> token backup partition list -serial <backup_hsm_serial_number>
5. Initiate the backup operation:
lunash:> partition backup -partition <source_partition_label> -serial <backup_hsm_serial_number> [-tokenpar <target_backup_partition_label>] [-add | -replace]
NOTE You must specify -add or -replace when backing up to an existing backup partition. Use -add to add only new objects. Use -replace to erase the contents of the existing backup and replace them with the contents of the source partition. You do not need to specify these options when backing up a V1 partition, as only the SMK is backed up.
If you omit the -tokenpar option when creating a new backup, the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>) based on the source HSM's internally-set time and date.
If the backup operation is interrupted (if the Backup HSM is unplugged, or if you fail to respond to prompts for PED keys, for example), the Backup HSM's full available space can become occupied with a single backup partition. If this occurs, delete the backup partition with lunash:> token backup partition delete before reattempting the backup operation.
6.Respond to the prompts on the Luna PED and/or Luna Backup HSM 7 touchscreen to insert the following keys in the following order:
If the source partition is not activated:
i.[Remote PED authentication] The Remote PED Vector (orange) PED key(s) for the source HSM
ii.The Crypto Officer (black) PED key(s) for the source partition
If you are creating a new backup partition:
i.The HSM SO (blue) PED key(s) for the backup HSM, to log in
ii.New or reused Partition SO (blue) PED key(s) to initialize the backup partition
iii.The Partition SO (blue) PED key(s) you just created for the backup partition, to log in
iv.New or reused Crypto Officer (black) PED key(s) to initialize the CO role on the backup partition.
v.The Domain (red) PED key(s) for the source partition, to initialize the domain on the backup.
vi.The Crypto Officer (black) PED key(s) you just created for the backup partition, to log in
If you are backing up to an existing backup partition:
i.The HSM SO (blue) PED key(s) for the backup HSM, to log in
ii.The Crypto Officer (black) PED key(s) for the backup partition
The backup begins once you have completed the authentication process. Objects are backed up one at a time.
Restoring a Multifactor Quorum-Authenticated Partition From Backup
You can restore the objects from a multifactor quorum-authenticated backup partition to the same partition that was originally backed up, or to another partition that has been initialized with the same domain (red PED key).
Prerequisites
Before you begin, ensure that you have satisfied the following prerequisites:
>You are able to log in to the Luna Network HSM 7 using an admin-level account to access LunaSH.
>The target partition must be initialized using the same domain (red PED key) as the backup partition, the Crypto Officer role must be initialized and the CO role credential changed from its initial value.
>You have the required credentials:
•The Crypto Officer challenge secret for the target partition
•The Crypto Officer (black) PED key(s) for the backup partition
TIP If the target partition is activated, only the Crypto Officer's challenge secret is required. To simplify the backup process and minimize interactions with the PED, it is recommended that you activate the CO role on the user partitions you want to restore from backup. See Activation on Multifactor Quorum-Authenticated Partitions for more information.
If the target partition is not activated, you also need:
•The Remote PED Vector (orange) PED key(s) for the target HSM
•The Crypto Officer (black) PED key(s) for the target partition
NOTE Whenever the Luna Backup HSM 7 prompts you to insert an PED key, use the USB-C adapter in the USB port on the right side of the Luna Backup HSM 7:
>The following policies are set:
•HSM policy 16: Allow network replication must be set to 1 (ON) on the HSM that hosts the user partition you want to restore to.
•[V0 partitions or firmware older than Luna HSM Firmware 7.7.0] Partition policy 0: Allow private key cloning is set to 1 (ON) on the user partition you want to restore to.
•[V0 partitions or firmware older than Luna HSM Firmware 7.7.0] Partition policy 4: Allow secret key cloning is set to 1 (ON) on the user partition you want to restore to.
To restore a multifactor quorum-authenticated partition from backup
1.Configure your Luna HSM Client workstation using one of the following configurations:
•Activated source partition:
•Non-activated source partition:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to one of the USB ports on the Luna Network HSM 7 appliance using the included USB cable.
NOTE The Luna Backup HSM 7 must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna Network HSM 7 USB connection provides adequate power, and connecting the provided power supply is not recommended.
c.[Non-activated target partition] Connect the Luna Network HSM 7 appliance to a Luna PED, using a local or remote connection:
–[Local PED] Connect the Luna PED to the USB port on the HSM card:
–[Remote PED] Connect the Luna Network HSM 7 appliance to the Remote PED server (see ________):
lunash:> hsm ped connect -ip <remote_ped_host_ip_address>
2.Get the serial number of the backup HSM, or read the serial number from the Backup HSM display screen:
lunash:> token backup list
3.Display a list of application partitions; you require the label for the partition you are restoring to.
lunash:> partition list
4.Display a list of the existing backups.
lunash:> token backup partition list -serial <backup_hsm_serial_number>
5. Initiate the restore operation:
lunash:> partition restore -partition <target_user_partition_label> -tokenpar <source_backup_partition_label> -serial <backup_hsm_serial_number> {-add | -replace}
Use the -add option to add only new objects, or the -replace option to erase the contents of the partition and replace them with the contents of the backup.
CAUTION! If you are restoring a V1 backup to a V1 partition, use -add to restore the SMK. Use -replace only if you wish to erase any existing cryptographic objects on the target partition. By default, V1 backups only include the SMK.
6.You are prompted for the following credentials in the following order:
If the target partition is activated:
i.[In LunaSH] The Crypto Officer challenge secret for the target partition
ii.[On the Luna Backup HSM 7 touchscreen] The Crypto Officer (black) PED key(s) for the backup partition
If the target partition is not activated:
i.[On the Luna PED] The Remote PED Vector (orange) PED key(s) for the target HSM
ii.[On the Luna PED] The Crypto Officer (black) PED key(s) for the target partition
iii.[On the Luna Backup HSM 7 touchscreen] The Crypto Officer (black) PED key(s) for the backup partition
The restore operation begins once you have completed the authentication process. Objects are restored one at a time.
