partition restore
Restores the contents of a backup partition stored on a Luna Backup HSM to an application partition. The partition Crypto Officer executing this command has the option of replacing the objects existing on the partition or adding to them.
NOTE To perform backup operations on Luna HSM Firmware 7.7.0 or newer (V0 or V1 partitions) you require at minimum:
>Luna Backup HSM 7 Firmware 7.7.1
>Luna Backup HSM G5 Firmware 6.28.0
You can use a Luna Backup HSM with older firmware to restore objects to a V0 or V1 partition, but this is supported for purposes of getting your objects from the older partitions onto the newer V0 or V1 partitions only. V0 and V1 partitions are considered more secure than partitions at earlier firmware versions - any attempt to restore from a higher-security status to lower-security status fails gracefully.
When the Luna Backup HSM is connected directly to the Luna Network HSM 7 appliance, only the SMK can be backed up from or restored to a V1 partition.
If you are backing up or restoring encrypted blobs stored on a V1 partition, the Backup HSM must be connected to the client:
>Luna Backup HSM 7 Connected to Luna HSM Client Using Direct Multifactor Quorum Authentication
>Luna Backup HSM 7 Connected to Luna HSM Client Using Remote Multifactor Quorum Authentication
>Luna Backup HSM 7 Connected to Luna HSM Client Using Password Authentication
>Backup/Restore Using Luna Backup HSM G5 Connected to Luna HSM Client
Only the SMK can be backed up/restored using an appliance-connected backup HSM.
For a list of required credentials, refer to:
Luna Backup HSM 7:
>Direct Authentication: Restoring a Multifactor Quorum-Authenticated Partition From Backup
>Remote PED Authentication: Restoring a Multifactor Quorum-Authenticated Partition From Backup
>Restoring a Password-Authenticated Partition From Backup
Luna Backup HSM G5:
>Restoring an Application Partition from Backup
User Privileges
Users with the following privileges can perform this command:
>Admin
>Operator
Syntax
partition restore -partition <name> -tokenpar <name> -serial <serialnum> {-add | -replace} [-password <password>] [-tokenpw <password>] [-force]
Argument(s) | Shortcut | Description |
---|---|---|
-add | -a |
Add objects to the application partition specified with -partition. Incremental backup (append). If the OUIDs of any source objects match OUIDs of objects already stored on the target backup, they are not restored, and the existing objects are not overwritten. You must specify either -add or -replace. CAUTION! If you are restoring a V1 backup to a V1 partition, use -add to restore the SMK and keep any existing objects on the partition. Use -replace only if you wish to erase any existing objects. By default, V1 backups only include the SMK. |
-force | -f | Force the action without prompting. |
-partition <name> | -par | Specifies the name of the target application partition to restore from backup. Obtain the partition name by using the partition list command. |
-password <password> | -pas | The partition Crypto Officer's password. If you do not supply this value on the command line, you are prompted for it. Applies to password-authenticated HSMs only; multifactor quorum-authenticated HSMs will prompt for the partition Crypto Officer's black PED key. |
-replace | -r |
Erase all existing objects on the application partition and replace them with the contents of the backup. You must specify either -add or -replace. CAUTION! If you are restoring a V1 backup to a V1 partition, use -add to restore the SMK and keep any existing objects on the partition. Use -replace only if you wish to erase any existing objects. By default, V1 backups only include the SMK. |
-serial <serialnum> | -s | Specifies the Luna Backup HSM serial number. |
-tokenpar <name> | -tokenpa | Specifies the backup partition name. |
-tokenpw <password> | -tokenpw |
Specifies the backup partition's Crypto Officer password. If you do not supply this value on the command line, you are prompted for it. Applies to password-authenticated HSMs only; multifactor quorum-authenticated HSMs will prompt for the Crypto Officer's black PED key. |
Example
lunash:>partition restore -partition sa78par1 -tokenpar sa78par1backup -serial 496771 -add Please enter the password for the token user partition: > ******** Please enter the password for the HSM user partition: > ******** Object "MT RSA 4096-bit Private KeyGen" (handle 14) cloned to handle 46 on target Object "MT RSA 4096-bit Public KeyGen" (handle 18) cloned to handle 49 on target Object "MT RSA 4096-bit Private KeyGen" (handle 19) cloned to handle 52 on target Object "MT RSA 4096-bit Public KeyGen" (handle 23) cloned to handle 48 on target Object "MT RSA 4096-bit Private KeyGen" (handle 24) cloned to handle 57 on target Object "MT RSA 4096-bit Public KeyGen" (handle 28) cloned to handle 70 on target 'partition restore' successful. Command Result : 0 (Success)