Luna Backup HSM 7 Connected to Luna HSM Client Using Direct Multifactor Quorum Authentication

In this configuration, you connect the Luna Backup HSM 7 to a USB port on the Luna HSM Client, and insert PED keys directly into the Luna Backup HSM 7. This allows you to perform backup/restore operations for all application partitions that can be accessed by the client. You can restore a partition backup to the original source partition or to another existing Luna application partition that shares the same cloning domain. To use this method, you require:

>Luna Backup HSM 7 v2

>Luna HSM Client 10.4.0 or newer

This section provides instructions for the following procedures:

>Initializing the Luna Backup HSM 7

>Configuring the Luna Backup HSM 7 for FIPS Compliance

>Backing Up a Multifactor Quorum-Authenticated Partition

>Restoring To a Multifactor Quorum-Authenticated Partition

Initializing the Luna Backup HSM 7

You must initialize the Luna Backup HSM 7 prior to first use. You can initialize the backup HSM by connecting it to a Luna HSM Client and using LunaCM commands to perform the initialization.

Prerequisites

You need the following PED keys:

>N number of blue (HSM SO) PED keys, as defined by the M of N scheme you choose for the HSM SO role, plus the number required to create duplicate PED keys as necessary.

>Blank or reused red (Domain) PED key(s)

NOTE   Use the USB-C adapter in the USB port on the right side of the Luna Backup HSM 7 to insert PED keys:

To initialize the Luna Backup HSM 7

1.Connect your Luna Backup HSM 7 to a workstation:

a.Install the required Luna HSM Client software on the workstation, including the Backup option. See Client Software Required to Perform Backup and Restore Operations for details.

NOTE   If you are installing Luna HSM Client on Windows, the driver may not be installed unless the Luna device is connected to the computer first; refer to Backup/USB/PCIe Drivers Not Installed on Windows 10 or Windows Server 2022 Unless Device is Connected.

b.Connect the backup HSM directly to the Luna HSM Client workstation using the included USB cable.

NOTE   On most Luna HSM Client computers, the USB port provides adequate power, and connecting the provided power supply is not recommended. Wait and confirm that the HSM boots properly. If the HSM fails to boot up:

1. Disconnect the HSM from the USB port.

2. Connect the HSM to power using the provided power supply. Wait for it to boot completely.

3. Reconnect the HSM to the USB port on the client.

If the HSM is connected to the USB port before the power supply, you may encounter an issue where the HSM occasionally loses contact with the client, and must be power cycled.

2.Launch LunaCM on the client workstation.

3. Select the slot assigned to the backup HSM Admin partition.

lunacm:> slot set -slot <slot_id>

4.If necessary, recover the HSM from Secure Transport Mode. See Secure Transport Mode for more information:

lunacm:> stm recover -randomuserstring <string>

NOTE   Recovering a Luna Backup HSM 7 from secure transport mode may take up to three minutes.

5.Initialize the selected backup HSM, specifying a label and the -iped authentication mode.

lunacm:> hsm init -iped -label <label>

>You are prompted by the touchscreen for the blue HSM SO PED key(s) and red Domain PED key(s). Respond to the prompts and insert and set the PINs on the required keys when requested. Ensure that you label any new PED keys that you create during this process.

Configuring the Luna Backup HSM 7 for FIPS Compliance

Luna Backup HSM 7 Firmware 7.7.1 and newer uses the same updated cloning protocol as Luna HSM Firmware 7.7.0 and newer. For the Luna Backup HSM 7 to be FIPS-compliant, it must restrict restore operations to application partitions that use the new protocol. This restriction is applied by setting HSM policy 55: Enable Restricted Restore to 1 on the backup HSM. The Luna Backup HSM 7 must be initialized and connected to a Luna HSM Client computer to set this policy.

When this policy is enabled on the Luna Backup HSM 7, objects that have been backed up from partitions using firmware older than Luna HSM Firmware 7.7.0 can be restored to Luna HSM Firmware 7.7.0 or newer (V0 or V1) partitions only.

CAUTION!   FIPS compliance requires that objects are never cloned or restored to an HSM using less secure firmware, and this includes restoring from Luna Backup HSM 7 firmware.

If you have backups already stored on the Luna Backup HSM 7 that were taken from pre-7.7.0 partitions, turning this policy ON will prevent you from restoring them to the same source partition. You must update the HSM containing the source partition to Luna HSM Firmware 7.7.0 or newer before restoring from backup.

NOTE   HSM policy 12: Allow non-FIPS algorithms, which is used to set FIPS-compliant mode on other Luna HSMs, does not apply to the Luna Backup HSM 7. Attempts to change this policy will fail with the error CKR_CANCEL.

To configure the Luna Backup HSM 7 for FIPS compliance

1.On the Luna HSM Client computer, run LunaCM.

2.Set the active slot to the Luna Backup HSM 7.

lunacm:> slot set -slot <slot_id>

3.Log in as Backup HSM SO.

lunacm:> role login -name so

4.Set HSM policy 55: Enable Restricted Restore to 1.

lunacm:> hsm changehsmpolicy -policy 55 -value 1

5.[Optional] Check that the Luna Backup HSM 7 is now in FIPS approved operation mode.

lunacm:> hsm showinfo

*** The HSM is in FIPS 140-2 approved operation mode. ***

Backing Up a Multifactor Quorum-Authenticated Partition

Backups are created and stored as partitions within the Admin partition on the Luna Backup HSM 7. A new backup partition is created on initial backup. For subsequent backups, you can choose to replace the contents of the existing backup partition with the current source partition objects, or add new objects in the source partition to the existing backup partition. Like all cloning operations, the source and target backup partitions must be initialized with the same domain.

Prerequisites

>You have the required credentials:

If the source partition is not activated:

[Remote PED authentication] The Remote PED Vector (orange) PED key(s) for the source HSM

The Crypto Officer (black) PED key(s) for the source partition

TIP   If the source partition is activated, only the source partition Crypto Officer's challenge secret is required. To simplify the backup process and minimize interactions with the PED, it is recommended that you activate the CO role on the user partitions you want to backup. See Activation on Multifactor Quorum-Authenticated Partitions for more information.

If you are creating a new backup partition:

New or reused Partition SO (blue) PED key(s) to initialize the backup partition

The Domain (red) PED key(s) for the source partition, to initialize the domain on the backup

New or reused Crypto Officer (black) PED key(s) to initialize the CO role on the backup partition

If you are backing up to an existing backup partition whose domain matches the source partition:

The existing Partition SO (blue) PED key(s) for the backup partition, to log in

The existing Crypto Officer (black) PED key(s) for the backup partition

NOTE   Use the USB-C adapter in the USB port on the right side of the Luna Backup HSM 7 to insert PED keys:

>The following policies are set:

HSM policy 16: Allow network replication must be set to 1 (ON) on the HSM that hosts the user partition.

[V0 partitions or firmware older than Luna HSM Firmware 7.7.0] Partition policy 0: Allow private key cloning is set to 1 (ON) on the user partition.

[V0 partitions or firmware older than Luna HSM Firmware 7.7.0] Partition policy 4: Allow secret key cloning is set to 1 (ON) on the user partition.

To back up a multifactor quorum-authenticated partition

1.Configure your Luna HSM Client workstation using one of the following configurations:

Activated source partition:

Non-activated source partition:

a.If you have not already done so, install the required client software on the Luna HSM Client workstation. See Client Software Required to Perform Backup and Restore Operations for details.

NOTE   If you are installing Luna HSM Client on Windows, the driver may not be installed unless the Luna device is connected to the computer first; refer to Backup/USB/PCIe Drivers Not Installed on Windows 10 or Windows Server 2022 Unless Device is Connected.

b.Connect the backup HSM directly to the Luna HSM Client workstation using the included USB cable.

NOTE   On most Luna HSM Client computers, the USB port provides adequate power, and connecting the provided power supply is not recommended. Wait and confirm that the HSM boots properly. If the HSM fails to boot up:

1. Disconnect the HSM from the USB port.

2. Connect the HSM to power using the provided power supply. Wait for it to boot completely.

3. Reconnect the HSM to the USB port on the client.

If the HSM is connected to the USB port before the power supply, you may encounter an issue where the HSM occasionally loses contact with the client, and must be power cycled.

c.[Non-activated source partition, Local PED] Connect the PED to the USB port on the Luna Network HSM 7 card, using the PED USB cable.

d.[Non-activated source partition] Connect the PED to the Luna HSM Client workstation used to host the remote PED, using the PED USB cable.

NOTE   You connect to the remote PED using the IP address of the workstation used to host the PED. This can be the same workstation that hosts the user and backup partition slots, or a different workstation. The workstation used to host the PED must be running PEDserver.

2.[Non-activated source partition] Start the pedserver service on the workstation used to host the remote PED:

Windows C:\Program Files\Safenet\LunaClient> pedserver -mode start
Linux /usr/safenet/lunaclient> pedserver -mode start

3.Launch LunaCM on the workstation that hosts the Luna Network HSM 7 partition slots.

4.Identify the slot assignments for:

The Luna Network HSM 7 partition you want to back up.

The Luna Backup HSM 7 admin partition (where all backups are stored).

lunacm:> slot list

If you cannot see both slots, check your connections or configure your client as required.

5.Select the Luna Network HSM 7 partition:

lunacm:> slot set -slot <slot_id>

6.Log in to the partition as Crypto Officer (CO):

If the partition is activated, use the following command and provide the Crypto Officer (CO) challenge secret as prompted:

lunacm:> role login -name co

If the partition is not activated:

i.Connect to the Luna HSM Client workstation that hosts the PED. If defaults are not set using lunacm:> ped set, specify an IP address (and port if required; 1503 is default).

lunacm:> ped connect [-ip <pedserver_host_ip>]

ii.Log in to the selected Luna Network HSM 7 partition as the Crypto Officer (CO):

lunacm:> role login -name co

iii.Respond to the prompts on the PED to provide the orange (PED vector) PED key(s) and PIN for the Luna Network HSM 7 and the black (CO) key(s) and PIN for the CO role on the application partition.

iv.Disconnect the remote PED session. Note that you will remain logged in to the Luna Network HSM 7 partition:

lunacm:> ped disconnect

7.Initiate the backup:

lunacm:> partition archive backup -slot <backup_HSM_admin_slot> [-partition <target_backup_label>] [-append] [-replace] [-smkonly]

If you omit the -partition option when creating a new backup, the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>) based on the source HSM's internally-set time and date.

If you are backing up a V1 partition, include -smkonly to back up the SMK only. By default, the SMK and any encrypted cryptographic material on the partition are backed up.

The backup begins once you have completed the authentication process. Objects are backed up one at a time. If you are backing up to an existing backup partition, you can use the following options to define how individual objects are backed up:

-append Add only new objects to an existing backup.
-replace Delete the existing objects in a target backup partition and replace them with the contents of the source user partition. This is the default.
-append -replace Add new objects and replace existing objects that have the same OUID but a different fingerprint (such as would occur if any of the object attributes were changed since the previous backup).

NOTE   If the backup operation is interrupted (if the Backup HSM is unplugged, or if you fail to respond to PED prompts, for example), the Backup HSM's full available space can become occupied with a single backup partition. If this occurs, delete the backup partition with lunacm:> partition archive delete before reattempting the backup operation.

8.Respond to the prompts on the Luna Backup HSM 7 touchscreen to insert the following PED keys:

If you are creating a new backup partition:

i.The blue HSM SO PED key(s) for the backup HSM.

ii.You are prompted to initialize the backup Partition SO role by creating a new blue PED key or reusing an existing key. After you initialize the role, you are prompted to insert the key again to log in as Partition SO.

iii.The red Domain PED key(s). This must be the same PED key(s) used for the Luna Network HSM 7 partition, otherwise the backup will fail.

iv.The blue Partition SO PED key(s) for the backup partition, to log in again.

v.You are prompted to initialize the Crypto Officer role for the backup by creating a new black PED key or reusing an existing key. After you initialize the role, you are prompted to insert the key again to log in as Crypto Officer.

If you are backing up to an existing backup partition whose domain matches the source partition:

i.The blue HSM SO PED key(s) for the backup HSM.

ii.The blue Partition SO PED key(s) for the backup.

iii.The black Crypto Officer PED key(s) for the backup.

Restoring To a Multifactor Quorum-Authenticated Partition

You can restore the objects from a multifactor quorum-authenticated backup partition to the same partition that was originally backed up, or to another partition that has been initialized with the same domain (red PED key).

Prerequisites

>The target partition must be initialized using the same domain (red PED key) as the backup partition, the Crypto Officer role must be initialized and the CO role credential changed from its initial value.

>You require the Crypto Officer challenge secret for the target partition.

If the target partition is not activated, you also require:

[Remote PED authentication] The Remote PED Vector (orange) PED key(s) for the target HSM

The Crypto Officer (black) PED key(s) for the target partition

TIP   If the target partition is activated, only the Crypto Officer's challenge secret is required. To simplify the backup process and minimize interactions with the PED, it is recommended that you activate the CO role on the user partitions you want to restore from backup. See Activation on Multifactor Quorum-Authenticated Partitions for more information.

>The following policies are set:

HSM policy 16: Allow network replication must be set to 1 (ON) on the HSM that hosts the user partition you want to restore to.

[V0 partitions or firmware older than Luna HSM Firmware 7.7.0] Partition policy 0: Allow private key cloning is set to 1 (ON) on the user partition you want to restore to.

[V0 partitions or firmware older than Luna HSM Firmware 7.7.0] Partition policy 4: Allow secret key cloning is set to 1 (ON) on the user partition you want to restore to.

To restore a multifactor quorum-authenticated partition

1.Configure your Luna HSM Client workstation using one of the following configurations:

Activated destination partition:

Non-activated destination partition:

a.If you have not done so already, install the required client software on the Luna HSM Client workstation. See Luna HSM Client Software Installation for details.

NOTE   If you are installing Luna HSM Client on Windows, the driver may not be installed unless the Luna device is connected to the computer first; refer to Backup/USB/PCIe Drivers Not Installed on Windows 10 or Windows Server 2022 Unless Device is Connected.

b.Connect the backup HSM directly to the Luna HSM Client workstation using the included USB cable.

NOTE   On most Luna HSM Client computers, the USB port provides adequate power, and connecting the provided power supply is not recommended. Wait and confirm that the HSM boots properly. If the HSM fails to boot up:

1. Disconnect the HSM from the USB port.

2. Connect the HSM to power using the provided power supply. Wait for it to boot completely.

3. Reconnect the HSM to the USB port on the client.

If the HSM is connected to the USB port before the power supply, you may encounter an issue where the HSM occasionally loses contact with the client, and must be power cycled.

c.[Non-activated source partition] Connect the PED to the Luna HSM Client workstation used to host the remote PED, using the PED USB cable.

NOTE   You connect to the remote PED using the IP address of the workstation used to host the PED. This can be the same workstation that hosts the user and backup partition slots, or a different workstation. The workstation used to host the PED must be running PEDserver.

2.[Non-activated source partition] Start the pedserver service on the workstation used to host the remote PED:

Windows C:\Program Files\Safenet\LunaClient> pedserver -mode start
Linux /usr/safenet/lunaclient> pedserver -mode start

3.Launch LunaCM on the workstation that hosts the Luna Network HSM 7 and backup partition slots.

4.Identify the slot assignments for:

the Luna Network HSM 7 partition you want to restore to.

the backup HSM admin partition (where all backups are stored).

lunacm:> slot list

If you cannot see both slots, check your connections or configure your client as required.

5.Select the Luna Network HSM 7 partition you want to restore from backup:

lunacm:> slot set -slot <slot_id>

6.Log in to the partition as Crypto Officer (CO):

If the partition is activated, use the following command and provide the Crypto Officer (CO) challenge secret as prompted:

lunacm:> role login -name co

If the partition is not activated:

i.Connect to the Luna HSM Client workstation that hosts the PED. If defaults are not set using lunacm:> ped set, specify an IP address (and port if required; 1503 is default).

lunacm:> ped connect [-ip <pedserver_host_ip>]

ii.Log in to the selected Luna Network HSM 7 partition as the Crypto Officer (CO):

lunacm:> role login -name co

iii.Respond to the prompts on the PED to provide the orange (PED vector) PED key(s) and PIN for the Luna Network HSM 7 and the black (CO) key(s) and PIN for the CO role on the application partition.

iv.Disconnect the remote PED session. Note that you will remain logged in to the Luna Network HSM 7 partition:

lunacm:> ped disconnect

7.List the available backups on the Backup HSM by specifying the Backup HSM's slot number. You will require the backup partition label to perform the restore operation.

lunacm:> partition archive list-slot <backup_HSM_admin_slot>

8.Initiate the restore operation. Respond to the prompts on the Luna Backup HSM 7 touchscreen to insert the required PED keys.

lunacm:> partition archive restore -slot <backup_HSM_admin_slot> -partition <backup_partition_label> [-smkonly]

CAUTION!   The -replace option is deprecated and has been removed in Luna HSM Client 10.7.0 and newer. If you wish to restore an earlier version of an object, Thales recommends deleting the object(s) manually before restoring the partition from backup.

Ensure that the target partition can receive objects from the backup HSM before deleting objects or using partition archive restore with the -replace option; the cloning protocol may prevent objects from being restored, even if LunaCM states that X objects will be restored. This may occur if HSM policy 55: Enable Restricted Restore was enabled on the Luna Backup HSM 7 since the original backup was taken. If your partition is on an HSM with firmware older than Luna HSM Firmware 7.7.0, you must update to 7.7.0 or newer to restore objects from this backup.

NOTE   If you are restoring a V1 backup to a V1 partition, include -smkonly to restore the SMK only (see Compare Behavior of Pre-Firmware 7.7, and V0, and V1 Partitions for more information). By default, the SMK and any cryptographic material on the backup are restored.

The restore operation begins once you have completed the authentication process. Objects are restored one at a time.