partition backup

Back up the application partition contents to a Luna Backup HSM. This command copies the contents of a partition to a partition on the Backup HSM.

If you are creating a new backup partition, it is initialized during this process with the same cloning domain as the source partition. If you are backing up new objects to an existing backup partition with existing backup objects, you are prompted to verify if this destructive command should continue.

NOTE   To perform backup operations on Luna HSM Firmware 7.7.0 or newer (V0 or V1 partitions) you require at minimum:

>Luna Backup HSM 7 Firmware 7.7.1

>Luna Backup HSM G5 Firmware 6.28.0

You can use a Luna Backup HSM with older firmware to restore objects to a V0 or V1 partition, but this is supported for purposes of getting your objects from the older partitions onto the newer V0 or V1 partitions only. V0 and V1 partitions are considered more secure than partitions at earlier firmware versions - any attempt to restore from a higher-security status to lower-security status fails gracefully.

When the Luna Backup HSM is connected directly to the Luna Network HSM 7 appliance, only the SMK can be backed up from or restored to a V1 partition.

If you are backing up or restoring encrypted blobs stored on a V1 partition, the Backup HSM must be connected to the client:

>Luna Backup HSM 7 Connected to Luna HSM Client Using Direct Multifactor Quorum Authentication

>Luna Backup HSM 7 Connected to Luna HSM Client Using Remote Multifactor Quorum Authentication

>Luna Backup HSM 7 Connected to Luna HSM Client Using Password Authentication

>Backup/Restore Using Luna Backup HSM G5 Connected to Luna HSM Client

Only the SMK can be backed up/restored using an appliance-connected backup HSM.

For a list of required credentials, refer to:

Luna Backup HSM 7:

>Direct Authentication: Backing Up a Multifactor Quorum-Authenticated Partition

>Remote PED Authentication: Backing Up a Multifactor Quorum-Authenticated Partition

>Backing Up a Password-Authenticated Partition

Luna Backup HSM G5:

>Backing Up an Application Partition

User Privileges

Users with the following privileges can perform this command:

>Admin

>Operator

Syntax

partition backup -partition <name> -serial <serialnum> [-tokenpar <name>] [-password <password>] [-tokensopwd <password>] [-domain <domain>] [-defaultdomain] [-tokenpw <password>] [-add] [-replace] [-force]

Argument(s) Shortcut Description
-add -a

Add objects to the existing backup partition specified with -tokenpar. Incremental backup (append). If the OUIDs of any source objects match OUIDs of objects already stored on the target backup, they are not backed up, and the existing backup objects are not overwritten.

You must specify -add or -replace when backing up to an existing backup partition. You do not need to specify these options when backing up a V1 partition, as only the SMK is backed up.

-defaultdomain -de Use the default domain string. Deprecated. This is retained only for benefit of customers who have previously used the default domain, and are constrained to continue using it, until they create new objects on an HSM with a proper domain. For security reasons, avoid using this option.
-domain <domain> -do

Specifies the domain string that was used when creating the source partition. If you do not supply this value on the command line, you are prompted for it. Applies to password-authenticated HSMs only; multifactor quorum-authenticated HSMs will prompt for the partition's red PED key.

If you are creating a new backup partition, the application partition's domain is automatically used to initialize the backup partition. If you are specifying an existing backup partition as destination, the operation will only succeed if the domains match.

-force -f Force the action without prompting.
-partition <partition_name> -par Specifies the name of the source partition from which all data/key objects are backed up. Obtain the partition name by using the partition list command.
-password <partition password> -pas The partition Crypto Officer's password. If you do not supply this value on the command line, you are prompted for it. Applies to password-authenticated HSMs only; multifactor quorum-authenticated HSMs will prompt for the partition Crypto Officer's black PED key.
-replace -r

Erase the contents of the existing backup and replace them with the contents of the source partition.

You must specify -add or -replace when backing up to an existing backup partition. You do not need to specify these options when backing up a V1 partition, as only the SMK is backed up.

-tokenpar <backup_partition_name> -tokenpa

Specifies the name of the destination backup partition on the Backup HSM. If you specify the name of an existing backup, that partition is selected. If no partition exists with the supplied label, one is created.

Note: Do not begin your partition label with a numeral. This can later be misinterpreted by some commands as a slot number, rather than a text label, resulting in failure of the command.

-tokenpw <backup_partition_password> -tokenpw Specifies the backup partition's Crypto Officer password. If you do not supply this value on the command line, you are prompted for it. Applies to password-authenticated HSMs only; multifactor quorum-authenticated HSMs will prompt for the Crypto Officer's black PED key.
-tokensopwd <backup_HSM_SO_pwd> -tokens

The Backup HSM SO's password.Applies to password-authenticated HSMs only; multifactor quorum-authenticated HSMs will prompt for the Backup HSM SO's blue PED key.

The Backup SO password need not be the same password or PED key as used for the source HSM SO.

-serial <serial_number> -s Specifies the Backup HSM serial number.

Example

lunash:>partition backup -partition sa78par1 -tokenpar sa78par1backup -serial 496771

  Please enter the password for the HSM user partition:
  > ********

  Please enter a password for the user on the backup token:
  > ********

  Please enter the cloning domain set when the HSM user partition was created:
  > ********

Object "MT RSA 4096-bit Private KeyGen" (handle 70) cloned to handle 14 on target
Object "MT RSA 4096-bit Public KeyGen" (handle 69) cloned to handle 18 on target
Object "MT RSA 4096-bit Private KeyGen" (handle 53) cloned to handle 19 on target
Object "MT RSA 4096-bit Public KeyGen" (handle 54) cloned to handle 23 on target
Object "MT RSA 4096-bit Private KeyGen" (handle 52) cloned to handle 24 on target
Object "MT RSA 4096-bit Public KeyGen" (handle 47) cloned to handle 28 on target
'partition backup' successful.

Command Result : 0 (Success)