Client-Connected Luna Backup HSM 7 v1
You can connect the Luna Backup HSM 7 to a USB port on the Luna HSM Client workstation. This configuration allows you to perform backup/restore operations for all
NOTE The Luna Backup HSM 7 v1 requires minimum Luna HSM Client 10.1.0.
This section provides instructions for the following procedures using this kind of deployment:
Procedures for multifactor quorum-authenticated partitions:
>Initializing the Luna Backup HSM 7 for Multifactor Quorum Authentication
>Configuring the Luna Backup HSM 7 for FIPS Compliance
>Backing Up a Multifactor Quorum-Authenticated Partition
>Restoring To a Multifactor Quorum-Authenticated Partition
Procedures for password-authenticated partitions:
>Initializing the Luna Backup HSM 7 for Password Authentication
>Configuring the Luna Backup HSM 7 for FIPS Compliance
>Backing Up a Password-Authenticated Partition
>Restoring to a Password-Authenticated Partition
Initializing the Luna Backup HSM 7 for Multifactor Quorum Authentication
You must initialize the backup HSM prior to first use. The procedure below includes the following tasks:
>Recover the HSM from Secure Transit Mode (STM). STM allows you to verify that the HSM was not tampered in transit. All new HSMs are shipped from the factory in Secure Transport Mode.
>Create the orange (Remote PED vector) PED key for the backup HSM. You create the orange key using a one-time, password-secured connection between the PED and the backup HSM. You then use this orange key to secure all subsequent connections between the PED and the backup HSM.
>Set the authentication mode of the HSM to multifactor quorum authentication, which must match the application partitions being backed up.
>Set the security domain of the HSM.
>Create the HSM SO role on the HSM (see HSM Roles). This role is required to create or modify a backup partition, and must be logged in to perform a backup.
Prerequisites
You will need the following PED keys:
>A blank orange (PED vector) PED key, plus the number required to create duplicate PED keys as necessary.
CAUTION! Always make copies of your orange PED keys, or declare MofN as one-of-several, and store at least one safely. For the Luna Backup HSM 7, the orange PED key is as important as the HSM SO blue key or the Domain red key (this contrasts with other Luna HSMs, where a lost or damaged orange key can be easily replaced via a local PED connection).
A Remote PED Vector (RPV), on an orange PED key or on an associated HSM, is not a role; it is required to set up the secure tunnel for Remote PED operation.
When used with a multifactor quorum-authenticated Luna Backup HSM 7, the PED always connects remotely. The single USB port on the Backup HSM is for the connection to a Client computer - the PED is never connected locally/directly to the Luna Backup HSM 7. Therefore, losing the orange PED key RPK for that Luna Backup HSM 7, without access to a copy, would mean losing the material backed-up on that Backup HSM.
>N number of blue (HSM SO) PED keys, as defined by the M of N scheme you choose for the HSM SO role, plus the number required to create duplicate PED keys as necessary.
>Blank or reused red (Domain) PED key(s)
>[Luna Backup HSM 7 Firmware 7.7.1 and newer only] Set the value of -pedwritedelay to 2000 to avoid experiencing frequent CKR_CALLBACK_ERRORS, which will prevent you from completing the procedure below.
To initialize a Luna Backup HSM 7 for multifactor quorum authentication
1.Configure your Luna HSM Client workstation using one of the following configurations:
a.Install the required client software on the Luna HSM Client workstation. See Client Software Required to Perform Backup and Restore Operations for details.
NOTE If you are installing Luna HSM Client on Windows, the driver may not be installed unless the Luna device is connected to the computer first; refer to Backup/USB/PCIe Drivers Not Installed on Windows 10 or Windows Server 2022 Unless Device is Connected.
b.Connect the backup HSM directly to the Luna HSM Client workstation using the included USB cable.
NOTE On most Luna HSM Client computers, the USB port provides adequate power, and connecting the provided power supply is not recommended. Wait and confirm that the HSM boots properly. If the HSM fails to boot up:
1. Disconnect the HSM from the USB port.
2. Connect the HSM to power using the provided power supply. Wait for it to boot completely.
3. Reconnect the HSM to the USB port on the client.
If the HSM is connected to the USB port before the power supply, you may encounter an issue where the HSM occasionally loses contact with the client, and must be power cycled.
c.Connect the Luna PED to the Luna HSM Client workstation used to host the remote PED, using the PED USB cable.
NOTE You connect to the remote PED using the IP address of the workstation used to host the PED. This can be the same workstation that hosts the user and backup partition slots, or a different workstation. The workstation used to host the PED must be running pedServer.
2.Start the pedserver service on the workstation used to host the remote PED:
| Windows | C:\Program Files\Safenet\LunaClient> pedserver -mode start |
| Linux | /usr/safenet/lunaclient> pedserver -mode start |
3.Launch LunaCM on the workstation that hosts the user and backup partition slots.
4. Select the slot assigned to the backup HSM Admin partition.
lunacm:> slot set -slot <slot_id>
5.If necessary, recover the HSM from Secure Transport Mode. See Secure Transport Mode for more information:
lunacm:> stm recover -randomuserstring <string>
NOTE Recovering a Luna Backup HSM 7 from secure transport mode may take up to three minutes.
6.Connect to the Luna HSM Client workstation that hosts the PED. If defaults are not set using lunacm:> ped set, specify an IP address (and port if required; 1503 is default).
lunacm:> ped connect -ip <ip_address> -pwd
LunaCM generates and displays a one-time password that is used to set up a secure channel between the backup HSM and the PED, allowing you to securely initialize the orange (Remote PED Vector) PED key. Enter the displayed password on the PED when prompted to complete setup of the secure channel.
7.Create an orange (Remote PED vector) PED key for the backup HSM. The PED vector key is required for subsequent multifactor quorum-authenticated sessions to the HSM. Ensure that you label any new PED keys that you create during this process.
lunacm:> ped vector init
CAUTION! The orange PED key is required for all Luna Backup HSM 7 operations. If this key is lost, your backups will become irretrievable. Thales recommends keeping multiple backups of all PED keys stored in a secure location.
8.Tear down the one-time, password-protected secure channel between the backup HSM and the PED you used to create the orange (Remote PED vector) PED key.
lunacm:> ped disconnect
You are prompted to enter the one-time password that was generated when you performed ped connect. Enter the password and press Enter to proceed.
9.Set up a new secure channel between the backup HSM and the PED. If defaults are not set using lunacm:> ped set, specify an IP address (and port if required; 1503 is default). You are prompted to insert the orange PED key you created in step 7.
lunacm:> ped connect
10.Initialize the selected backup HSM in multifactor quorum-authenticated mode. You are prompted by the PED for the red Domain PED key(s) and blue HSM SO PED key(s). Respond to the PED prompts and insert and set the PINs on the required keys when requested. Ensure that you label any new PED keys that you create during this process.
lunacm:> hsm init -iped -label <label>
11.Use the Duplicate function on the PED to create and label duplicates of the new PED keys, as required.
12.Disconnect the PED when done.
lunacm:> ped disconnect
Configuring the Luna Backup HSM 7 for FIPS Compliance
Luna Backup HSM 7 Firmware 7.7.1 and newer uses the same updated cloning protocol as Luna HSM Firmware 7.7.0 and newer. For the Luna Backup HSM 7 to be FIPS-compliant, it must restrict restore operations to application partitions that use the new protocol. This restriction is applied by setting HSM policy 55: Enable Restricted Restore to 1 on the backup HSM. The Luna Backup HSM 7 must be initialized and connected to a Luna HSM Client computer to set this policy.
When this policy is enabled on the Luna Backup HSM 7, objects that have been backed up from partitions using firmware older than Luna HSM Firmware 7.7.0 can be restored to Luna HSM Firmware 7.7.0 or newer (V0 or V1) partitions only.
CAUTION! FIPS compliance requires that objects are never cloned or restored to an HSM using less secure firmware, and this includes restoring from Luna Backup HSM 7 firmware.
If you have backups already stored on the Luna Backup HSM 7 that were taken from pre-7.7.0 partitions, turning this policy ON will prevent you from restoring them to the same source partition. You must update the HSM containing the source partition to Luna HSM Firmware 7.7.0 or newer before restoring from backup.
NOTE HSM policy 12: Allow non-FIPS algorithms, which is used to set FIPS-compliant mode on other Luna HSMs, does not apply to the Luna Backup HSM 7. Attempts to change this policy will fail with the error CKR_CANCEL.
To configure the Luna Backup HSM 7 for FIPS compliance
1.On the Luna HSM Client computer, run LunaCM.
2.Set the active slot to the Luna Backup HSM 7.
lunacm:> slot set -slot <slot_id>
3.Log in as Backup HSM SO.
lunacm:> role login -name so
4.Set HSM policy 55: Enable Restricted Restore to 1.
lunacm:> hsm changehsmpolicy -policy 55 -value 1
5.[Optional] Check that the Luna Backup HSM 7 is now in FIPS approved operation mode.
lunacm:> hsm showinfo
*** The HSM is in FIPS 140-2 approved operation mode. ***
Backing Up a Multifactor Quorum-Authenticated Partition
To perform a backup, you connect the backup HSM and a remote PED to the Luna HSM Client workstation that hosts the slot for the Luna PCIe HSM 7 partition you want to back up, and perform the following tasks:
1.Log in to the Luna PCIe HSM 7 partition as the Crypto Officer (CO):
•If the Luna PCIe HSM 7 partition is activated, present the challenge secret.
•If the Luna PCIe HSM 7 partition is not activated, present the required PED keys to log in to the partition as the Crypto Officer (CO).
2.Open a remote PED connection to the Luna Backup HSM 7. You are prompted for the orange (Remote PED vector) PED key for the backup HSM.
3. Perform the backup operation and respond to the prompts for the HSM SO, partition SO (PO), crypto officer (CO), and domain PED keys for the backup HSM/partition.
Prerequisites
>You have the required credentials as listed in the summary above.
>The following polices are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):
•HSM policy 16: Enable network replication must be set to 1 (ON) on the Luna PCIe HSM 7.
•[Pre-7.7.0 and V0 partitions only] Partition policy 0: Allow private key cloning is set to 1 (ON) on the application partition.
•[Pre-7.7.0 and V0 partitions only] Partition policy 4: Allow secret key cloning is set to 1 (ON) on the application partition.
>[Luna Backup HSM 7 Firmware 7.7.1 and newer only] Set the value of -pedwritedelay to 2000 to avoid experiencing frequent CKR_CALLBACK_ERRORS, which will prevent you from completing the procedure below.
To back up a multifactor quorum-authenticated partition
1.Configure your Luna HSM Client workstation using one of the following configurations:
a.Install the required client software on the Luna HSM Client workstation. See Client Software Required to Perform Backup and Restore Operations for details.
NOTE If you are installing Luna HSM Client on Windows, the driver may not be installed unless the Luna device is connected to the computer first; refer to Backup/USB/PCIe Drivers Not Installed on Windows 10 or Windows Server 2022 Unless Device is Connected.
b.Connect the backup HSM directly to the Luna HSM Client workstation using the included USB cable.
NOTE On most Luna HSM Client computers, the USB port provides adequate power, and connecting the provided power supply is not recommended. Wait and confirm that the HSM boots properly. If the HSM fails to boot up:
1. Disconnect the HSM from the USB port.
2. Connect the HSM to power using the provided power supply. Wait for it to boot completely.
3. Reconnect the HSM to the USB port on the client.
If the HSM is connected to the USB port before the power supply, you may encounter an issue where the HSM occasionally loses contact with the client, and must be power cycled.
c.Connect the PED to the Luna HSM Client workstation used to host the remote PED, using the PED USB cable.
NOTE You connect to the remote PED using the IP address of the workstation used to host the PED. This can be the same workstation that hosts the user and backup partition slots, or a different workstation. The workstation used to host the PED must be running PEDserver.
2.Start the pedserver service on the workstation used to host the remote PED:
| Windows | C:\Program Files\Safenet\LunaClient> pedserver -mode start |
| Linux | /usr/safenet/lunaclient> pedserver -mode start |
3.Launch LunaCM on the workstation that hosts the Luna PCIe HSM 7 partition slots.
4.Identify the slot assignments for:
• The Luna PCIe HSM 7 partition you want to backup.
•The Luna Backup HSM 7 admin partition (where all backups are stored).
lunacm:> slot list
If you cannot see both slots, check your connections or configure your client as required.
5.Select the Luna PCIe HSM 7 partition:
lunacm:> slot set -slot <slot_id>
6.Log in to the partition as Crypto Officer (CO):
•If the partition is activated, use the following command and present the black Crypto Officer PED key(s) to the Luna PCIe HSM 7 as directed:
lunacm:> role login -name co
•If the partition is not activated:
i.Connect to the Luna HSM Client workstation that hosts the PED. If defaults are not set using lunacm:> ped set, specify an IP address (and port if required; 1503 is default).
lunacm:> ped connect [-ip <pedserver_host_ip>]
ii.Log in to the selected Luna PCIe HSM 7 partition as the Crypto Officer (CO):
lunacm:> role login -name co
iii.Respond to the prompts on the PED to provide the orange (PED vector) PED key(s) and PIN for the Luna PCIe HSM 7 and the black (CO) key(s) and PIN for the CO role on the application partition.
iv.Disconnect the remote PED session. Note that you will remain logged in to the Luna PCIe HSM 7 partition:
lunacm:> ped disconnect
7.Select the backup HSM Admin partition:
lunacm:> slot set -slot <slot_id>
8.Connect to the Luna HSM Client workstation that hosts the PED. If defaults are not set using lunacm:> ped set, specify an IP address (and port if required; 1503 is default):
lunacm:> ped connect [-ip <pedserver_host_ip>]
9.Select the Luna PCIe HSM 7 partition:
lunacm:> slot set -slot <slot_id>
10.Initiate the backup:
lunacm:> partition archive backup -slot <backup_HSM_admin_slot> [-partition <target_backup_label>] [-append] [-replace] [-smkonly]
If you omit the -partition option when creating a new backup, the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>) based on the source HSM's internally-set time and date.
If you are backing up a V1 partition, include -smkonly to back up the SMK only. By default, the SMK and any encrypted cryptographic material on the partition are backed up.
The backup begins once you have completed the authentication process. Objects are backed up one at a time. For existing backups, you can use the following options to define how individual objects are backed up:
| -append | Add only new objects to an existing backup. |
| -replace | Delete the existing objects in a target backup partition and replace them with the contents of the source user partition. This is the default. |
| -append -replace | Add new objects and replace existing objects that have the same OUID but a different fingerprint (such as would occur if any of the object attributes were changed since the previous backup). |
NOTE If the backup operation is interrupted (if the Backup HSM is unplugged, or if you fail to respond to PED prompts, for example), the Backup HSM's full available space can become occupied with a single backup partition. If this occurs, delete the backup partition with lunacm:> partition archive delete before reattempting the backup operation.
11.Respond to the prompts on the Luna PED to insert the following PED keys:
a.The blue (HSM SO) PED key(s) for the backup HSM. This is an existing PED key that was created when the backup HSM was initialized.
b.The blue (Partition SO) PED key(s) for the backup partition.
– If this is the first time the Luna PCIe HSM 7 partition is being backed up to this backup HSM, you are prompted to initialize the backup Partition SO role by creating a new key or reusing an existing key (SETTING SO PIN). After you initialize the role, you are prompted to insert the key again to log in to the role (SO LOGIN).
–For all subsequent backups, you must present the PED key used to initialize the backup partition SO role.
c.The red (Domain) PED key(s). This must be the same PED key(s) used for the Luna PCIe HSM 7 partition, otherwise the backup will fail.
d.The black (Crypto Officer) PED key(s) for the backup partition.
–If this is the first time the Luna PCIe HSM 7 partition is being backed up to this backup HSM, you must first initialize the backup partition CO role. This requires partition SO credentials, so you are prompted for the blue (Partition SO) PED key(s). After authenticating as the partition SO, you are prompted to initialize the backup partition CO role by creating a new PED key or reusing an existing PED key (SETTING SO PIN). After you initialize the partition CO role, you are prompted to insert the PED key(s) again to log in to the role (SO LOGIN).
–For all subsequent backups, you must present the PED key(s) used to initialize the backup partition CO role.
12.Disconnect the PED from the
a.Disconnect the PED from the backup HSM:
lunacm:> ped disconnect
b.Select the slot for the Luna PCIe HSM 7 partition:
lunacm:> slot set -slot <slot_id>
c.Disconnect the PED from the Luna PCIe HSM 7 partition:
lunacm:> ped disconnect
13.If this is the first backup to the backup partition, use the Duplicate function on the PED to create and label a set of backup keys for the new backup partition PO (blue) and CO (black) PED keys.
Restoring To a Multifactor Quorum-Authenticated Partition
To restore the objects from a backup, you connect the backup HSM and a remote PED to the Luna HSM Client workstation that hosts the slot for the Luna PCIe HSM 7 partition you want to restore from backup and perform the following tasks.
1.Log in to the Luna PCIe HSM 7 partition you want to restore to as the Crypto Officer (CO):
•If the Luna PCIe HSM 7 partition is activated, present the challenge secret.
•If the Luna PCIe HSM 7 partition is not activated, present the required PED keys to log in to the partition as the Crypto Officer (CO).
2.Open a remote PED connection to the backup HSM.
3. Perform the restore operation and respond to the prompts for the HSM SO, partition SO (PO), crypto officer (CO), and domain PED keys for the backup HSM/partition. The backup partition and the partition you want to restore to must be members of the same domain.
Prerequisites
>You have the credentials listed in the summary above.
>The following polices are set (see HSM Capabilities and Policies and Partition Capabilities and Policies for more information):
•HSM policy 16: Enable network replication must be set to 1 (ON) on the Luna PCIe HSM 7 partition.
•[Pre-7.7.0 and V0 partitions only] Partition policy 0: Allow private key cloning must be set to 1 (ON) on the Luna PCIe HSM 7 partition.
•[Pre-7.7.0 and V0 partitions only] Partition policy 4: Allow secret key cloning must be set to 1 (ON) on the Luna PCIe HSM 7 partition.
>[Luna Backup HSM 7 Firmware 7.7.1 and newer only] Set the value of -pedwritedelay to 2000 to avoid experiencing frequent CKR_CALLBACK_ERRORS, which will prevent you from completing the procedure below.
To restore a multifactor quorum-authenticated partition
1.Configure your Luna HSM Client workstation using one of the following configurations:
a.Install the required client software on the Luna HSM Client workstation. See Luna HSM Client Software Installation for details.
NOTE If you are installing Luna HSM Client on Windows, the driver may not be installed unless the Luna device is connected to the computer first; refer to Backup/USB/PCIe Drivers Not Installed on Windows 10 or Windows Server 2022 Unless Device is Connected.
b.Connect the backup HSM directly to the Luna HSM Client workstation using the included USB cable.
NOTE On most Luna HSM Client computers, the USB port provides adequate power, and connecting the provided power supply is not recommended. Wait and confirm that the HSM boots properly. If the HSM fails to boot up:
1. Disconnect the HSM from the USB port.
2. Connect the HSM to power using the provided power supply. Wait for it to boot completely.
3. Reconnect the HSM to the USB port on the client.
If the HSM is connected to the USB port before the power supply, you may encounter an issue where the HSM occasionally loses contact with the client, and must be power cycled.
c.Connect the PED to the Luna HSM Client workstation used to host the remote PED, using the PED USB cable.
NOTE You connect to the remote PED using the IP address of the workstation used to host the PED. This can be the same workstation that hosts the user and backup partition slots, or a different workstation. The workstation used to host the PED must be running pedserver.
2.Start the pedserver service on the workstation used to host the remote PED:
| Windows | C:\Program Files\Safenet\LunaClient> pedserver -mode start |
| Linux | /usr/safenet/lunaclient> pedserver -mode start |
3.Launch LunaCM on the workstation that hosts the Luna PCIe HSM 7 and backup partition slots.
4.Identify the slot assignments for:
• the Luna PCIe HSM 7 partition you want to restore to.
•the backup HSM admin partition (where all backups are stored).
lunacm:> slot list
If you cannot see both slots, check your connections or configure your client as required.
5.Select the Luna PCIe HSM 7 partition you want to restore from backup:
lunacm:> slot set -slot <slot_id>
6.Log in to the partition as Crypto Officer (CO):
•If the partition is activated, use the following command and present the black Crypto Officer PED key(s) to the Luna PCIe HSM 7 as directed:
lunacm:> role login -name co
•If the partition is not activated:
i.Connect to the Luna HSM Client workstation that hosts the PED. If defaults are not set using lunacm:> ped set, specify an IP address (and port if required; 1503 is default).
lunacm:> ped connect [-ip <pedserver_host_ip>]
ii.Log in to the selected Luna PCIe HSM 7 partition as the Crypto Officer (CO):
lunacm:> role login -name co
iii.Respond to the prompts on the PED to provide the orange (PED vector) PED key(s) and PIN for the Luna PCIe HSM 7 and the black (CO) key(s) and PIN for the CO role on the application partition.
iv.Disconnect the remote PED session. Note that you will remain logged in to the Luna PCIe HSM 7 partition:
lunacm:> ped disconnect
7.Connect the PED to the backup HSM. If defaults are not set using lunacm:> ped set, specify an IP address (and port if required; 1503 is default):
lunacm:> ped connect [-ip <pedserver_host_ip>]
8.List the available backups on the Backup HSM by specifying the Backup HSM's slot number. You will require the backup partition label to perform the restore operation.
lunacm:> partition archive list -slot <backup_HSM_admin_slot>
9.Initiate the restore operation. Respond to the prompts on the PED to insert the required PED keys.
lunacm:> partition archive restore -slot <backup_HSM_admin_slot> -partition <backup_partition_label> [-smkonly]
The restore operation begins once you have completed the authentication process. Objects are restored one at a time.
CAUTION! The -replace option is deprecated and has been removed in Luna HSM Client 10.7.0 and newer. If you wish to restore an earlier version of an object, Thales recommends deleting the object(s) manually before restoring the partition from backup.
Ensure that the target partition can receive objects from the backup HSM before deleting objects or using partition archive restore with the -replace option; the cloning protocol may prevent objects from being restored, even if LunaCM states that X objects will be restored. This may occur if HSM policy 55: Enable Restricted Restore was enabled on the Luna Backup HSM 7 since the original backup was taken.
NOTE If you are restoring a V1 backup to a V1 partition, include -smkonly to restore the SMK only (see Compare Behavior of Pre-Firmware 7.7, and V0, and V1 Partitions for more information). By default, the SMK and any cryptographic material on the backup are restored.
Initializing the Luna Backup HSM 7 for Password Authentication
You must initialize the backup HSM prior to first use. The procedure below includes the following tasks:
>Recover the HSM from Secure Transport Mode.
>Initialize the HSM to set the authentication mode (password), the HSM domain, and the initial password for the HSM SO role.
> Set the authentication method for the HSM to password authentication, which must match the application partitions being backed up.
To initialize a Luna Backup HSM 7 for password authentication
1.Configure your Luna HSM Client workstation as illustrated below:
a.Install the required client software on the Luna HSM Client workstation. See Client Software Required to Perform Backup and Restore Operations for details.
NOTE If you are installing Luna HSM Client on Windows, the driver may not be installed unless the Luna device is connected to the computer first; refer to Backup/USB/PCIe Drivers Not Installed on Windows 10 or Windows Server 2022 Unless Device is Connected.
b.Connect the backup HSM directly to the Luna HSM Client workstation using the included USB cable.
NOTE On most Luna HSM Client computers, the USB port provides adequate power, and connecting the provided power supply is not recommended. Wait and confirm that the HSM boots properly. If the HSM fails to boot up:
1. Disconnect the HSM from the USB port.
2. Connect the HSM to power using the provided power supply. Wait for it to boot completely.
3. Reconnect the HSM to the USB port on the client.
If the HSM is connected to the USB port before the power supply, you may encounter an issue where the HSM occasionally loses contact with the client, and must be power cycled.
2.Launch LunaCM on the workstation that hosts the user and backup partition slots.
3.Select the slot assigned to the backup HSM Admin partition:
lunacm:> slot set -slot <slot_id>
4.Recover the HSM from Secure Transport Mode. See Secure Transport Mode for more information:
lunacm:> stm recover
NOTE Recovering a Luna Backup HSM 7 from secure transport mode may take up to three minutes.
5.Initialize the selected backup HSM in password-authenticated mode. You are prompted for the new HSM SO password and the HSM domain string (existing or new):
lunacm:> hsm init -ipwd -label <label>
Configuring the Luna Backup HSM 7 for FIPS Compliance
Luna Backup HSM 7 Firmware 7.7.1 and newer uses the same updated cloning protocol as Luna HSM Firmware 7.7.0 and newer. For the Luna Backup HSM 7 to be FIPS-compliant, it must restrict restore operations to application partitions that use the new protocol. This restriction is applied by setting HSM policy 55: Enable Restricted Restore to 1 on the backup HSM. The Luna Backup HSM 7 must be initialized and connected to a Luna HSM Client computer to set this policy.
When this policy is enabled on the Luna Backup HSM 7, objects that have been backed up from partitions using firmware older than Luna HSM Firmware 7.7.0 can be restored to Luna HSM Firmware 7.7.0 or newer (V0 or V1) partitions only.
CAUTION! FIPS compliance requires that objects are never cloned or restored to an HSM using less secure firmware, and this includes restoring from Luna Backup HSM 7 firmware.
If you have backups already stored on the Luna Backup HSM 7 that were taken from pre-7.7.0 partitions, turning this policy ON will prevent you from restoring them to the same source partition. You must update the HSM containing the source partition to Luna HSM Firmware 7.7.0 or newer before restoring from backup.
NOTE HSM policy 12: Allow non-FIPS algorithms, which is used to set FIPS-compliant mode on other Luna HSMs, does not apply to the Luna Backup HSM 7. Attempts to change this policy will fail with the error CKR_CANCEL.
To configure the Luna Backup HSM 7 for FIPS compliance
1.On the Luna HSM Client computer, run LunaCM.
2.Set the active slot to the Luna Backup HSM 7.
lunacm:> slot set -slot <slot_id>
3.Log in as Backup HSM SO.
lunacm:> role login -name so
4.Set HSM policy 55: Enable Restricted Restore to 1.
lunacm:> hsm changehsmpolicy -policy 55 -value 1
5.[Optional] Check that the Luna Backup HSM 7 is now in FIPS approved operation mode.
lunacm:> hsm showinfo
*** The HSM is in FIPS 140-2 approved operation mode. ***
Backing Up a Password-Authenticated Partition
To perform a backup, you connect the backup HSM to the Luna HSM Client workstation that hosts the Luna PCIe HSM 7 you want to back up, and perform the following tasks:
1.Log in to the Luna PCIe HSM 7 partition as the Crypto Officer (CO).
2.Perform the backup operation and respond to the prompts for the HSM SO, partition SO (PO), crypto officer (CO), and domain passwords for the backup HSM/partition. The backup HSM and the partition you want to restore to must be members of the same domain.
Prerequisites
Before beginning, ensure that you have satisfied the following prerequisites:
>You have the required credentials as listed in the summary above.
>The following polices are set (see
•HSM policy 16: Enable network replication must be set to 1 (ON) on the Luna PCIe HSM 7.
•
•
To back up a password-authenticated partition
1.Configure your Luna HSM Client workstation as illustrated below:
a.Install the required client software on the Luna HSM Client workstation and start LunaCM. See Client Software Required to Perform Backup and Restore Operations for more information.
NOTE If you are installing Luna HSM Client on Windows, the driver may not be installed unless the Luna device is connected to the computer first; refer to Backup/USB/PCIe Drivers Not Installed on Windows 10 or Windows Server 2022 Unless Device is Connected.
b.Connect the backup HSM directly to the Luna HSM Client workstation using the included USB cable.
NOTE On most Luna HSM Client computers, the USB port provides adequate power, and connecting the provided power supply is not recommended. Wait and confirm that the HSM boots properly. If the HSM fails to boot up:
1. Disconnect the HSM from the USB port.
2. Connect the HSM to power using the provided power supply. Wait for it to boot completely.
3. Reconnect the HSM to the USB port on the client.
If the HSM is connected to the USB port before the power supply, you may encounter an issue where the HSM occasionally loses contact with the client, and must be power cycled.
2.Identify the slots assigned to:
• The Luna PCIe HSM 7 partition slot (to be backed up).
•The Luna Backup HSM 7 admin slot (where all backups are stored).
lunacm:> slot list
If you cannot see both slots, check your connections or configure your client as required.
3.Select the Luna PCIe HSM 7 partition:
lunacm:> slot set -slot <slot_id>
4.Log in to the Luna PCIe HSM 7 partition as the Crypto Officer (CO):
lunacm:> role login -name co
5.Initiate backup of the Luna PCIe HSM 7 partition to the backup partition:
lunacm:> partition archive backup -slot <backup_hsm_admin_partition_slot_id> [-partition <target_backup_partition_label>] [-append] [-replace] [-smkonly]
If you omit the -partition option when creating a new backup, the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>) based on the source HSM's internally-set time and date.
If you are backing up a V1 partition, include -smkonly to back up the SMK only. By default, the SMK and any encrypted cryptographic material on the partition are backed up.
The backup begins once you have completed the authentication process. Objects are backed up one at a time. For existing backups, you can use the following options to define how individual objects are backed up:
| -append | Add only new objects to the existing backup. |
| -replace | Delete the existing objects in the target backup partition and replace them with the contents of the source user partition. This is the default. |
|
-append -replace |
Add new objects and replace existing objects that have the same OUID but a different fingerprint (such as would occur if any of the object attributes were changed since the previous backup). |
NOTE If the backup operation is interrupted (if the Backup HSM is unplugged, for example), the Backup HSM's full available space can become occupied with a single backup partition. If this occurs, delete the backup partition with lunacm:> partition archive delete before reattempting the backup operation.
6.You are prompted for the following (you can also enter these options on the command line, although doing so exposes the strings, whereas using the prompts obscures the strings):
•The domain string for the backup partition. The domain must match the domain configured on the Luna PCIe HSM 7 partition.
•The backup partition password. You will create a new password on the initial backup, and use the password for subsequent backups to the backup partition.
•The backup HSM SO password. This is required to create or access the backup partition in the Admin slot.
Restoring to a Password-Authenticated Partition
To restore the objects from a backup, you connect the backup HSM to the Luna HSM Client workstation that hosts the Luna PCIe HSM 7 partition you want to restore from backup and perform the following tasks.
1.Log in to the user partition you want to restore to as the Crypto Officer (CO).
2. Perform the restore operation. You are prompted for the HSM SO, partition SO (PO), crypto officer (CO), and domain passwords for the backup partition. The backup partition and the partition you want to restore to must be members of the same domain.
Prerequisites
>You have the credentials listed in the summary above.
>The following polices are set (see
•HSM policy 16: Enable network replication must be set to 1 (ON) on the Luna PCIe HSM 7.
•
•
To restore a password-authenticated partition
1.Configure your Luna HSM Client workstation as illustrated below:
a.Install the required client software on the Luna HSM Client workstation and start LunaCM. See Client Software Required to Perform Backup and Restore Operations for more information.
NOTE If you are installing Luna HSM Client on Windows, the driver may not be installed unless the Luna device is connected to the computer first; refer to Backup/USB/PCIe Drivers Not Installed on Windows 10 or Windows Server 2022 Unless Device is Connected.
b.Connect the backup HSM directly to the Luna HSM Client workstation using the included USB cable.
NOTE On most Luna HSM Client computers, the USB port provides adequate power, and connecting the provided power supply is not recommended. Wait and confirm that the HSM boots properly. If the HSM fails to boot up:
1. Disconnect the HSM from the USB port.
2. Connect the HSM to power using the provided power supply. Wait for it to boot completely.
3. Reconnect the HSM to the USB port on the client.
If the HSM is connected to the USB port before the power supply, you may encounter an issue where the HSM occasionally loses contact with the client, and must be power cycled.
2. Identify the slots assigned to:
• The Luna PCIe HSM 7 partition slot (to be restored).
•The Luna Backup HSM 7 admin slot (where all backups are stored).
lunacm:> slot list
If you cannot see both slots, check your connections or configure your client as required.
3.Select the Luna PCIe HSM 7 partition you want to restore to:
lunacm:> slot set -slot <slot_id>
4.Log in to the partition as Crypto Officer (CO):
lunacm:> role login -name co
5.List the available backups on the Backup HSM by specifying the Backup HSM's slot number. You will require the backup partition label to perform the restore operation.
lunacm:> partition archive list -slot <backup_HSM_slot>
6.Initiate the restore operation. Respond to the prompts to provide the required passwords, as detailed in the summary above.
lunacm:> partition archive restore -slot <backup_HSM_admin_slot> -partition <backup_partition_label> [-smkonly]
The restore operation begins once you have completed the authentication process. Objects are restored one at a time.
CAUTION! The -replace option is deprecated and has been removed in Luna HSM Client 10.7.0 and newer. If you wish to restore an earlier version of an object, Thales recommends deleting the object(s) manually before restoring the partition from backup.
Ensure that the target partition can receive objects from the backup HSM before deleting objects or using partition archive restore with the -replace option; the cloning protocol may prevent objects from being restored, even if LunaCM states that X objects will be restored. This may occur if HSM policy 55: Enable Restricted Restore was enabled on the Luna Backup HSM 7 since the original backup was taken.
NOTE If you are restoring a V1 backup to a V1 partition, include -smkonly to restore the SMK only (see Compare Behavior of Pre-Firmware 7.7, and V0, and V1 Partitions for more information). By default, the SMK and any encrypted cryptographic material on the backup are restored.
