Luna Backup HSM 7 Connected to Luna Network HSM 7 Using Remote Multifactor Quorum Authentication
In this configuration, you connect the Luna Backup HSM 7 to a USB port on the Luna Network HSM 7 appliance, and insert PED keys into a Remote Luna PED. This configuration allows you to perform backup/restore operations for all application partitions on that HSM. You can restore a partition backup to the original source partition or to another existing Luna application partition that shares the same cloning domain. To use this method, you require:
>Luna Backup HSM 7 v1 or v2 with Luna Backup HSM 7 Firmware 7.7.1 or newer installed
>Luna Appliance Software 7.7.0 or newer installed on the Luna Network HSM 7
NOTE
>The Luna Backup HSM 7 is shipped in Secure Transport Mode, and must be recovered from STM before first use. STM recovery requires LunaCM on a Luna HSM Client.
See Recovering the Luna Backup HSM 7 from Secure Transport Mode.
>If you require the Luna Backup HSM 7 to be FIPS-compliant, you must complete an additional configuration step after initialization that requires LunaCM on a Luna HSM Client computer (see Configuring the Luna Backup HSM 7 for FIPS Compliance). Therefore, it may be simpler to initialize the Luna Backup HSM 7 at the client instead of using the initialization procedure below.
>If you are backing up or restoring encrypted blobs stored on a V1 partition, the Backup HSM must be connected to the client. Only the SMK can be backed up/restored using an appliance-connected Backup HSM.
>If Secure Trusted Channel is enabled on the partition, the Backup HSM must be connected to the client.
See Luna Backup HSM 7 Connected to Luna HSM Client Using Remote Multifactor Quorum Authentication.
This section provides instructions for the following procedures:
>Initializing the Luna Backup HSM 7 for Multifactor Quorum Authentication
>Backing Up a Multifactor Quorum-Authenticated Partition
>Restoring a Multifactor Quorum-Authenticated Partition From Backup
Initializing the Luna Backup HSM 7 for Multifactor Quorum Authentication
You must initialize theLuna Backup HSM 7 prior to first use. You can initialize the backup HSM by connecting it to a Luna Network HSM 7 and using LunaSH commands to perform the initialization.
Prerequisites
>If necessary, recover the Luna Backup HSM 7 from Secure Transport Mode (see Recovering the Luna Backup HSM 7 from Secure Transport Mode).
>Ensure that you are familiar with the concepts in Multifactor Quorum Authentication. You will need the following PED keys:
•A blank Remote PED Vector (orange) PED key, plus the number required to create duplicate PED keys as necessary.
CAUTION! Always make copies of your orange PED keys, or declare MofN as one-of-several, and store at least one safely. For the Luna Backup HSM 7 v1, the orange PED key is as important as the HSM SO blue key or the Domain red key.
The orange PED key is required for all Luna Backup HSM 7 v1 operations. If this key is lost, your backups will become irretrievable. Thales recommends keeping multiple backups of all PED keys stored in a secure location.
•N number of HSM SO (blue) PED keys, as defined by the M of N scheme you choose for the HSM SO role, plus the number required to create duplicate PED keys as necessary.
•Blank or reused Domain (red) PED key(s).
>[Luna Backup HSM 7 Firmware 7.7.1 and newer only] Set the value of -pedwritedelay to 2000 to avoid experiencing frequent CKR_CALLBACK_ERRORS, which will prevent you from completing the procedure below.
To initialize the Luna Backup HSM 7 for multifactor quorum authentication
1.Configure your multifactor quorum-authenticated Luna Network HSM 7 using one of the following configurations:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to one of the USB ports on the Luna Network HSM 7 appliance using the included USB cable.
NOTE The Luna Backup HSM 7 must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna Network HSM 7 USB connection provides adequate power, and connecting the provided power supply is not recommended.
c.Get the serial number of the backup HSM, or read the serial number from the Backup HSM display screen.
lunash:> token backup list
d.Connect the Remote PED to the Luna Network HSM 7 appliance. You can connect a Remote PED directly to the Luna Network HSM 7 appliance using the included USB cable, or you can connect to a network-attached Luna HSM Client workstation that hosts a remote PED.
NOTE The Luna PED must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna PED must be set to Remote PED mode (see Modes of Operation).
–If you connect the Remote PED directly to a USB port on the appliance, use the appliance loopback IP address (127.0.0.1) to connect to the local pedserver service running on the appliance, and specify the serial number of the connected backup HSM you want to use. You can read the serial number from the Backup HSM display screen. The pedserver service must be running on the appliance. You can use the lunash:> service commands to administer the service:
lunash:> hsm ped connect -ip 127.0.0.1 -serial <backup_hsm_serial_number>
NOTE A remote PED connected to the USB port on the appliance uses the appliance pedserver service. If the PED is not responding, use the lunash:> service commands to verify the service status and restart if necessary. The Luna PED must be in Remote mode.
–If you are using a network-attached Remote PED, connect to the IP address of the workstation used to host the Remote PED. This can be the same workstation you are using to host the LunaSH session, or a different workstation.
lunash:> hsm ped connect -ip <pedserver_host>
LunaSH generates and displays a one-time password that is used to set up a secure channel between the backup HSM and the PED, allowing you to securely initialize the Remote PED Vector (orange) PED key. Enter the displayed password on the PED when prompted to complete setup of the secure channel and respond to the prompts to create the Remote PED Vector (orange) PED key.
Please attend to the PED and enter following password: 94485995
2.Create Remote PED Vector (orange) PED key(s) for the backup HSM:
lunash:> hsm ped vector init -serial <backup_hsm_serial_number>
You are then prompted to insert the orange key again to authenticate the Remote PED connection.
CAUTION! The orange PED key is required for all Luna Backup HSM 7 v1 operations. If this key is lost, your backups will become irretrievable. Thales recommends keeping multiple backups of all PED keys stored in a secure location.
3.Initialize the backup HSM:
lunash:> token backup init -label <backup_hsm_label> -serial <backup_hsm_serial_number>
You are prompted by the Luna PED for the blue HSM SO key(s) and red Domain key(s). Respond to the PED prompts and insert and set the PINs on the required keys when requested. Ensure that you label any new PED keys that you create during this process.
4.Use the Duplicate function on the PED to create and label duplicates of the new PED keys, as required. See Duplicating Existing PED keys for details.
5.Disconnect the PED when done:
•If you connected the Remote PED directly to a USB port on the appliance:
lunash:> hsm ped disconnect -serial <backup_hsm_serial_number>
•If you connected to a network-attached Remote PED:
lunash:> hsm ped disconnect
NOTE If your organization requires FIPS compliance, there is an additional procedure you must complete before using the Luna Backup HSM 7 to back up partitions. Refer to Configuring the Luna Backup HSM 7 for FIPS Compliance.
Backing Up a Multifactor Quorum-Authenticated Partition
Backups are created and stored as partitions within the Admin partition on the Luna Backup HSM 7. A new backup partition is created on initial backup. For subsequent backups, you can choose to replace the contents of the existing backup partition with the current source partition objects, or add new objects in the source partition to the existing backup partition. Like all cloning operations, the source and target backup partitions must be initialized with the same domain.
In addition to the credentials listed in Credentials Required to Perform Backup and Restore Operations, the Crypto Officer requires admin-level access to the appliance to access the LunaSH partition backup and partition restore commands (see Appliance Users and Roles).
Prerequisites
Before you begin, ensure that you have satisfied the following prerequisites:
>You are able to log in to the Luna Network HSM 7 using an admin-level account to access LunaSH.
>You have the required credentials:
If you are creating a new backup partition:
•The Remote PED Vector (orange) PED key(s) for the Backup HSM
•The HSM SO (blue) PED key(s) for the backup HSM
•New or reused Partition SO (blue) PED key(s) to initialize the backup partition
•New or reused Crypto Officer (black) PED key(s) to initialize the CO role on the backup partition
•The Domain (red) PED key(s) for the source partition, to initialize the domain on the backup
If you are backing up to an existing backup partition whose domain matches the source partition:
•The Remote PED Vector (orange) PED key(s) for the Backup HSM
•The HSM SO (blue) PED key(s) for the backup HSM
•The existing Crypto Officer (black) PED key(s) for the backup partition
TIP If the source partition is activated, only the source partition Crypto Officer's challenge secret is required. To simplify the backup process and minimize interactions with the PED, it is recommended that you activate the CO role on the user partitions you want to back up. See Activation on Multifactor Quorum-Authenticated Partitions for more information.
If the source partition is not activated, you also need:
•The Remote PED Vector (orange) PED key(s) for the source HSM
•The Crypto Officer (black) PED key(s) for the source partition
>The following policies are set:
•HSM policy 16: Allow network replication must be set to 1 (ON) on the HSM that hosts the user partition.
•[V0 partitions or firmware older than Luna HSM Firmware 7.7.0] Partition policy 0: Allow private key cloning is set to 1 (ON) on the user partition.
•[V0 partitions or firmware older than Luna HSM Firmware 7.7.0] Partition policy 4: Allow secret key cloning is set to 1 (ON) on the user partition.
>[Luna Backup HSM 7 Firmware 7.7.1 and newer only] Set the value of -pedwritedelay to 2000 to avoid experiencing frequent CKR_CALLBACK_ERRORS, which will prevent you from completing the procedure below.
To back up a multifactor quorum-authenticated partition
1.Configure your Luna Network HSM 7 appliance using one of the following configurations:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to one of the USB ports on the Luna Network HSM 7 appliance using the included USB cable.
NOTE The Luna Backup HSM 7 must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna Network HSM 7 USB connection provides adequate power, and connecting the provided power supply is not recommended.
c.Get the serial number of the backup HSM, or read the serial number from the backup HSM display screen.
lunash:> token backup list
d.Connect the Remote PED to the Luna Network HSM 7 appliance. You can connect a Remote PED directly to the Luna Network HSM 7 appliance using the included USB cable, or you can connect to a network-attached Luna HSM Client workstation that hosts a remote PED:
NOTE The Luna PED must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna PED must be set to Remote PED mode (see Modes of Operation).
–If you connect the Remote PED directly to a USB port on the appliance, use the appliance loopback IP address (127.0.0.1) to connect to the local pedserver service running on the appliance, and specify the serial number of the connected backup HSM you want to use:
lunash:> hsm ped connect -ip 127.0.0.1 -serial <backup_hsm_serial_number>
NOTE A remote PED connected to the USB port on the appliance uses the appliance pedserver service. If the PED is not responding, use the lunash:> service commands to verify the service status and restart if necessary. The Luna PED must be in Remote mode.
–If you are using a network-attached Remote PED, connect to the IP address of the workstation used to host the Remote PED. This can be the same workstation you are using to host the LunaSH session, or a different workstation.
lunash:> hsm ped connect -ip <remote_ped_host_ip_address>
Respond to the prompts on the PED to insert the Backup HSM's orange PED key.
2.Display a list of application partitions; you require the label for the partition you are backing up.
lunash:> partition list
3.If you plan to back up to an existing partition on the Backup HSM, display a list of the existing backups.
lunash:> token backup partition list -serial <backup_hsm_serial_number>
4. Initiate the backup operation:
lunash:> partition backup -partition <source_partition_label> -serial <backup_hsm_serial_number> [-tokenpar <target_backup_partition_label>] [-add | -replace]
NOTE You must specify -add or -replace when backing up to an existing backup partition. Use -add to add only new objects. Use -replace to erase the contents of the existing backup and replace them with the contents of the source partition. You do not need to specify these options when backing up a V1 partition, as only the SMK is backed up.
If you omit the -tokenpar option when creating a new backup, the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>) based on the source HSM's internally-set time and date.
If the backup operation is interrupted (if the Backup HSM is unplugged, or if you fail to respond to PED prompts, for example), the Backup HSM's full available space can become occupied with a single backup partition. If this occurs, delete the backup partition with lunash:> token backup partition delete before reattempting the backup operation.
5.You are prompted for the following credentials in the following order:
If the source partition is not activated:
i.The Remote PED Vector (orange) PED key(s) for the source HSM
ii.The Crypto Officer (black) PED key(s) for the source partition
iii.The Remote PED Vector (orange) PED key(s) for the Backup HSM
If the source partition is activated:
i.[In LunaSH] The Crypto Officer challenge secret for the source partition
If you are creating a new backup partition:
i.The HSM SO (blue) PED key(s) for the backup HSM, to log in
ii.New or reused Partition SO (blue) PED key(s) to initialize the backup partition
iii.The Partition SO (blue) PED key(s) you just created for the backup partition, to log in
iv.New or reused Crypto Officer (black) PED key(s) to initialize the CO role on the backup partition
v.The Domain (red) PED key(s) for the source partition, to initialize the domain on the backup
vi.The Crypto Officer (black) PED key(s) you just created for the backup partition, to log in
If you are backing up to an existing backup partition:
i.The HSM SO (blue) PED key(s) for the backup HSM, to log in.
ii.The existing Crypto Officer (black) PED key(s) for the backup partition
The backup begins once you have completed the authentication process. Objects are backed up one at a time.
6.Disconnect the PED when done:
•If you connected the Remote PED directly to a USB port on the appliance:
lunash:> hsm ped disconnect -serial <backup_hsm_serial_number>
•If you connected to a network-attached Remote PED:
lunash:> hsm ped disconnect
7.If this is the first backup to the backup partition, use the Duplicate function on the PED to create and label a set of backup keys for the new PO (blue) and CO (black) keys. See Duplicating Existing PED keys for details.
Restoring a Multifactor Quorum-Authenticated Partition From Backup
You can restore the objects from a multifactor quorum-authenticated backup partition to the same partition that was originally backed up, or to another partition that has been initialized with the same domain (red PED key).
Prerequisites
Before beginning, ensure that you have satisfied the following prerequisites:
>You are able to log in to the Luna Network HSM 7 using an admin-level account to access LunaSH.
>The target partition must be initialized using the same domain (red PED key) as the backup partition, the Crypto Officer role must be initialized and the CO role credential changed from its initial value.
>You have the required credentials:
•The Remote PED Vector (orange) PED key(s) for the backup HSM
•The Crypto Officer challenge secret for the target partition
•The Crypto Officer (black) PED key(s) for the backup partition
TIP If the target partition is activated, only the Crypto Officer's challenge secret is required. To simplify the backup process and minimize interactions with the PED, it is recommended that you activate the CO role on the user partitions you want to restore from backup. See Activation on Multifactor Quorum-Authenticated Partitions for more information.
If the target partition is not activated, you also need:
•The Remote PED Vector (orange) PED key(s) for the target HSM
•The Crypto Officer (black) PED key(s) for the target partition
>The following policies are set:
•HSM policy 16: Allow network replication must be set to 1 (ON) on the HSM that hosts the user partition you want to restore to.
•[V0 partitions only] Partition policy 0: Allow private key cloning is set to 1 (ON) on the user partition you want to restore to.
•[V0 partitions only] Partition policy 4: Allow secret key cloning is set to 1 (ON) on the user partition you want to restore to.
>[Luna Backup HSM 7 Firmware 7.7.1 and newer only] Set the value of -pedwritedelay to 2000 to avoid experiencing frequent CKR_CALLBACK_ERRORS, which will prevent you from completing the procedure below.
To restore a multifactor quorum-authenticated partition from backup
1.Configure your Luna HSM Client workstation using one of the following configurations:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to one of the USB ports on the Luna Network HSM 7 appliance using the included USB cable.
NOTE The Luna Backup HSM 7 must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna Network HSM 7 USB connection provides adequate power, and connecting the provided power supply is not recommended.
c.Get the serial number of the backup HSM, or read the serial number from the backup HSM display screen.
lunash:> token backup list
d.Connect the Remote PED to the Luna Network HSM 7 appliance. You can connect a Remote PED directly to the Luna Network HSM 7 appliance using the included USB cable, or you can connect to a network-attached Luna HSM Client workstation that hosts a remote PED:
NOTE The Luna PED must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna PED must be set to Remote PED mode (see Modes of Operation).
–If you connect the Remote PED directly to a USB port on the appliance, use the appliance loopback IP address (127.0.0.1) to connect to the local pedserver service running on the appliance, and specify the serial number of the connected backup HSM you want to use:
lunash:> hsm ped connect -ip 127.0.0.1 -serial <backup_hsm_serial_number>
NOTE A remote PED connected to the USB port on the appliance uses the appliance pedserver service. If the PED is not responding, use the lunash:> service commands to verify the service status and restart if necessary. The Luna PED must be in Remote mode.
–If you are using a network-attached Remote PED, connect to the IP address of the workstation used to host the Remote PED. This can be the same workstation you are using to host the LunaSH session, or a different workstation.
lunash:> hsm ped connect -ip <remote_ped_host_ip_address>
Respond to the prompts on the PED to insert the Backup HSM's orange PED key(s).
2.Display a list of application partitions; you require the label for the partition you are restoring to.
lunash:> partition list
3.Display a list of the existing backups.
lunash:> token backup partition list -serial <backup_hsm_serial_number>
4. Initiate the restore operation:
lunash:> partition restore -partition <target_user_partition_label> -tokenpar <source_backup_partition_label> -serial <backup_hsm_serial_number> {-add | -replace}
Use the -add option to add only new objects, or the -replace option to erase the contents of the partition and replace them with the contents of the backup.
CAUTION! If you are restoring a V1 backup to a V1 partition, use -add to restore the SMK. Use -replace only if you wish to erase any existing cryptographic material on the target partition. By default, V1 backups only include the SMK.
5.You are prompted for the following credentials in the following order:
If the target partition is activated:
i.[In LunaSH] The Crypto Officer challenge secret for the target partition
ii.The Crypto Officer (black) PED key(s) for the backup partition
If the target partition is not activated:
i.The Remote PED Vector (orange) PED key(s) for the target HSM
ii.The Crypto Officer (black) PED key(s) for the target partition
iii.The Remote PED Vector (orange) PED key(s) for the backup HSM
iv.The Crypto Officer (black) PED key(s) for the backup partition
The restore operation begins once you have completed the authentication process. Objects are restored one at a time.
6.Disconnect the PED when done:
•If you connected the Remote PED directly to a USB port on the appliance:
lunash:> hsm ped disconnect -serial <backup_hsm_serial_number>
•If you connected to a network-attached Remote PED:
lunash:> hsm ped disconnect
