Luna Backup HSM 7 Connected to Luna Network HSM 7 Using Password Authentication
In this configuration, you connect the Luna Backup HSM 7 to a USB port on the Luna Network HSM 7 appliance, and enter passwords in LunaSH. This configuration allows you to perform backup/restore operations for all application partitions on that HSM. You can restore a partition backup to the original source partition or to another existing Luna application partition that shares the same cloning domain. To use this method, you require:
>Luna Backup HSM 7 v1 or v2 with Luna Backup HSM 7 Firmware 7.7.1 or newer installed
>Luna Appliance Software 7.7.0 or newer installed on the Luna Network HSM 7
NOTE
>The Luna Backup HSM 7 is shipped in Secure Transport Mode, and must be recovered from STM before first use. STM recovery requires LunaCM on a Luna HSM Client. See Recovering the Luna Backup HSM 7 from Secure Transport Mode.
>If you require the Luna Backup HSM 7 to be FIPS-compliant, you must complete an additional configuration step after initialization that requires LunaCM on a Luna HSM Client computer (see Configuring the Luna Backup HSM 7 for FIPS Compliance). Therefore, it may be simpler to initialize the Luna Backup HSM 7 at the client instead of using the procedure below (see Luna Backup HSM 7 Connected to Luna HSM Client Using Password Authentication).
>If you are backing up or restoring encrypted blobs stored on a V1 partition, the Backup HSM must be connected to the client (see Luna Backup HSM 7 Connected to Luna HSM Client Using Password Authentication). Only the SMK can be backed up/restored using an appliance-connected Backup HSM.
>If Secure Trusted Channel is enabled on the partition, the Backup HSM must be connected to the client (see Luna Backup HSM 7 Connected to Luna HSM Client Using Password Authentication).
This section provides instructions for the following procedures:
>Initializing the Luna Backup HSM 7 for Password Authentication
>Backing Up a Password-Authenticated Partition
>Restoring a Password-Authenticated Partition From Backup
Initializing the Luna Backup HSM 7 for Password Authentication
You must initialize the Luna Backup HSM 7 prior to first use. You can initialize the backup HSM by connecting it to a Luna Network HSM 7 and using LunaSH commands to perform the initialization.
Prerequisites
>If necessary, recover the Luna Backup HSM 7 from Secure Transport Mode (see Recovering the Luna Backup HSM 7 from Secure Transport Mode).
To initialize the Luna Backup HSM 7 for password authentication
1.Configure your password-authenticated Luna Network HSM 7 as illustrated below:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to the Luna Network HSM 7 using the included USB cable.
NOTE The Luna Backup HSM 7 must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna Network HSM 7 USB connection provides adequate power, and connecting the provided power supply is not recommended.
2.Get the serial number of the backup HSM, or read the serial number from the Backup HSM display screen.
lunash:> token backup list
3.Initialize the backup HSM:
lunash:> token backup init -label <backup_hsm_label> -serial <backup_hsm_serial_number>
You are prompted to set a new HSM SO password and the HSM domain string.
NOTE If your organization requires FIPS compliance, there is an additional procedure you must complete before using the Luna Backup HSM 7 to back up partitions. Refer to Configuring the Luna Backup HSM 7 for FIPS Compliance.
Backing Up a Password-Authenticated Partition
Backups are created and stored as partitions within the Admin partition on the backup HSM. A new backup partition is created on initial backup. For subsequent backups, you can choose to replace the contents of the existing backup partition with the current source partition objects, or add new objects in the source partition to the existing backup partition. Like all cloning operations, the source and target backup partitions must be initialized with the same domain.
In addition to the credentials listed in Credentials Required to Perform Backup and Restore Operations, the Crypto Officer requires admin-level access to the appliance to access the LunaSH partition backup and partition restore commands (see Appliance Users and Roles).
Prerequisites
Before you begin, ensure that you have satisfied the following prerequisites:
>You are able to log in to the Luna Network HSM 7 using an admin-level account to access LunaSH.
>You have the required credentials:
If you are creating a new backup:
•The Crypto Officer password and domain string for the source partition
•The HSM SO password for the backup HSM
If you are adding to an existing backup initialized with the same domain string as the source partition:
•The Crypto Officer password and domain string for the source partition
•The HSM SO password for the backup HSM
•The Partition SO and Crypto Officer passwords for the existing backup
>The following policies are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):
•HSM policy 16: Allow network replication must be set to 1 (ON) on the HSM that hosts the user partition.
•[V0 partitions
•[V0 partitions
To back up a password-authenticated partition
1.Configure your Luna Network HSM 7 as illustrated below:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to the Luna Network HSM 7 using the included USB cable.
NOTE The Luna Backup HSM 7 must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna Network HSM 7 USB connection provides adequate power, and connecting the provided power supply is not recommended.
2.Get the serial number of the backup HSM, or read the serial number from the Backup HSM display screen.
lunash:> token backup list
3.Display a list of application partitions; you require the label for the partition you are backing up.
lunash:> partition list
4.If you plan to back up to an existing partition on the Backup HSM, display a list of the existing backups.
lunash:> token backup partition list -serial <backup_hsm_serial_number>
5.Initiate the backup operation:
lunash:> partition backup -partition <source_partition_label> -serial <backup_hsm_serial_number> [-tokenpar <target_backup_partition_label>] [-tokensopwd <backup_hsm_SO_password>] [-add | -replace]
NOTE You must specify the -tokensopwd option, as well as -add or -replace when backing up to an existing backup partition. Use -add to add only new objects. Use -replace to add new objects and overwrite existing objects. You do not need to specify these options when backing up a V1 partition, as only the SMK is backed up.
If you omit the -tokenpar option when creating a new backup, the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>) based on the source HSM's internally-set time and date.
If the backup operation is interrupted (if the Backup HSM is unplugged, for example), the Backup HSM's full available space can become occupied with a single backup partition. If this occurs, delete the backup partition with lunash:> token backup partition delete before reattempting the backup operation.
6.Respond to the prompts for the following passwords:
a.The Crypto Officer password for the source partition
b.The Crypto Officer password for the target partition on the backup HSM (only if you specified an already-existing backup)
c.If you are creating a new backup, you must provide the domain string for the source partition -- it is used to initialize the new backup partition so that objects can be cloned. If your target is an existing backup partition, the operation will proceed only if the domains match.
The backup begins once you have completed the authentication process. Objects are backed up one at a time.
Restoring a Password-Authenticated Partition From Backup
You can restore the objects from a multifactor quorum-authenticated backup partition to the same partition that was originally backed up, or to another partition that has been initialized with the same domain string.
Prerequisites
Before beginning, ensure that you have satisfied the following prerequisites:
>You are able to log in to the Luna Network HSM 7 appliance using an admin-level account to access LunaSH.
>The target partition must be initialized with the same domain string as the backup partition.
>You have the required credentials:
•The Crypto Officer password for the target partition
•The Crypto Officer password for the backup partition
>The following policies are set:
•HSM policy 16: Allow network replication must be set to 1 (ON) on the HSM that hosts the user partition you want to restore to.
•[V0 partitions only] Partition policy 0: Allow private key cloning is set to 1 (ON) on the user partition you want to restore to.
•[V0 partitions only] Partition policy 4: Allow secret key cloning is set to 1 (ON) on the user partition you want to restore to.
To restore a password-authenticated partition
1.Configure your Luna Network HSM 7 as illustrated below:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to the Luna Network HSM 7 using the included USB cable.
NOTE The Luna Backup HSM 7 must be connected to one of the appliance USB ports, and not the one on the HSM card:
The Luna Network HSM 7 USB connection provides adequate power, and connecting the provided power supply is not recommended.
2.Display a list of application partitions; you require the label for the partition you are restoring to.
lunash:> partition list
3.Display a list of the existing backups.
lunash:> token backup partition list -serial <backup_hsm_serial_number>
4.Initiate the restore operation:
lunash:> partition restore -partition <target_user_partition_label> -tokenpar <backup_partition_label> -serial <backup_hsm_serial_number> {-add | -replace}
Use the -add option to add only new objects, or the -replace option to add new objects and overwrite existing objects.
CAUTION! If you are restoring a V1 backup to a V1 partition, use -add to restore the SMK. Use -replace only if you wish to erase any existing cryptographic material on the target partition. By default, V1 backups only include the SMK.
5.Respond to the prompts for the following passwords:
a.The Crypto Officer password for the target partition
b.The Crypto Officer password for the backup partition
The restore operation begins once you have completed the authentication process. Objects are restored one at a time.
