Luna Backup HSM 7 Using Password Authentication
In this configuration, you connect the Luna Backup HSM 7 to a USB port on the Luna HSM Client, and enter passwords in LunaCM. This configuration allows you to perform backup/restore operations for all application partitions that can be accessed by the client. You can restore a partition backup to the original source partition or to another existing Luna application partition that shares the same cloning domain. To use this method, you require:
>Luna Backup HSM 7 v1 or v2
>Luna HSM Client 10.1.0 or newer
This section provides instructions for the following procedures:
>Initializing the Luna Backup HSM 7 for Password Authentication
>Configuring the Luna Backup HSM 7 for FIPS Compliance
>Backing Up a Password-Authenticated Partition
>Restoring to a Password-Authenticated Partition
Initializing the Luna Backup HSM 7 for Password Authentication
You must initialize the Luna Backup HSM 7 prior to first use. You can initialize the backup HSM by connecting it to a Luna HSM Client and using LunaCM commands to perform the initialization.
To initialize a Luna Backup HSM 7 for password authentication
1.Configure your Luna HSM Client workstation as illustrated below:
a.Install the required client software on the Luna HSM Client workstation. See Client Software Required to Perform Backup and Restore Operations for details.
NOTE If you are installing Luna HSM Client on Windows, the driver may not be installed unless the Luna device is connected to the computer first; refer to Backup/USB/PCIe Drivers Not Installed on Windows 10 or Windows Server 2022 Unless Device is Connected.
b.Connect the backup HSM directly to the Luna HSM Client workstation using the included USB cable.
NOTE On most Luna HSM Client computers, the USB port provides adequate power, and connecting the provided power supply is not recommended. Wait and confirm that the HSM boots properly. If the HSM fails to boot up:
1. Disconnect the HSM from the USB port.
2. Connect the HSM to power using the provided power supply. Wait for it to boot completely.
3. Reconnect the HSM to the USB port on the client.
If the HSM is connected to the USB port before the power supply, you may encounter an issue where the HSM occasionally loses contact with the client, and must be power cycled.
2.Launch LunaCM on the workstation that hosts the user and backup partition slots.
3.Select the slot assigned to the backup HSM Admin partition:
lunacm:> slot set -slot <slot_id>
4.If necessary, recover the HSM from Secure Transport Mode. See Secure Transport Mode for more information:
lunacm:> stm recover
NOTE Recovering a Luna Backup HSM 7 from secure transport mode may take up to three minutes.
5.Initialize the selected backup HSM in password-authenticated mode.
lunacm:> hsm init -ipwd -label <label>
You are prompted for the new HSM SO password and the HSM domain string (existing or new):
Configuring the Luna Backup HSM 7 for FIPS Compliance
Luna Backup HSM 7 Firmware 7.7.1 and newer uses the same updated cloning protocol as Luna HSM Firmware 7.7.0 and newer. For the Luna Backup HSM 7 to be FIPS-compliant, it must restrict restore operations to application partitions that use the new protocol. This restriction is applied by setting HSM policy 55: Enable Restricted Restore to 1 on the backup HSM. The Luna Backup HSM 7 must be initialized and connected to a Luna HSM Client computer to set this policy.
When this policy is enabled on the Luna Backup HSM 7, objects that have been backed up from partitions using firmware older than Luna HSM Firmware 7.7.0 can be restored to Luna HSM Firmware 7.7.0 or newer (V0 or V1) partitions only.
CAUTION! FIPS compliance requires that objects are never cloned or restored to an HSM using less secure firmware, and this includes restoring from Luna Backup HSM 7 firmware.
If you have backups already stored on the Luna Backup HSM 7 that were taken from pre-7.7.0 partitions, turning this policy ON will prevent you from restoring them to the same source partition. You must update the HSM containing the source partition to Luna HSM Firmware 7.7.0 or newer before restoring from backup.
NOTE HSM policy 12: Allow non-FIPS algorithms, which is used to set FIPS-compliant mode on other Luna HSMs, does not apply to the Luna Backup HSM 7. Attempts to change this policy will fail with the error CKR_CANCEL.
To configure the Luna Backup HSM 7 for FIPS compliance
1.On the Luna HSM Client computer, run LunaCM.
2.Set the active slot to the Luna Backup HSM 7.
lunacm:> slot set -slot <slot_id>
3.Log in as Backup HSM SO.
lunacm:> role login -name so
4.Set HSM policy 55: Enable Restricted Restore to 1.
lunacm:> hsm changehsmpolicy -policy 55 -value 1
5.[Optional] Check that the Luna Backup HSM 7 is now in FIPS approved operation mode.
lunacm:> hsm showinfo
*** The HSM is in FIPS 140-2 approved operation mode. ***
Backing Up a Password-Authenticated Partition
Backups are created and stored as partitions within the Admin partition on the Luna Backup HSM 7. A new backup partition is created on initial backup. For subsequent backups, you can choose to replace the contents of the existing backup partition with the current source partition objects, or add new objects in the source partition to the existing backup partition. Like all cloning operations, the source and target backup partitions must be initialized with the same domain.
Prerequisites
Before you begin, ensure that you have satisfied the following prerequisites:
>You have the required credentials:
If you are creating a new backup:
•The Crypto Officer password and domain string for the source
•The HSM SO password for the backup HSM
If you are adding to an existing backup initialized with the same domain string as the source partition:
•The Crypto Officer password for the source
•The Crypto Officer password for the existing backup
•The HSM SO password for the backup HSM
>The following policies are set:
•HSM policy 16: Allow network replication must be set to 1 (ON) on the HSM that hosts the user partition.
•
•
To back up a password-authenticated partition
1.Configure your Luna HSM Client workstation as illustrated below:
a.If you have not already done so, install the required client software on the Luna HSM Client workstation and start LunaCM. See Client Software Required to Perform Backup and Restore Operations for more information.
NOTE If you are installing Luna HSM Client on Windows, the driver may not be installed unless the Luna device is connected to the computer first; refer to Backup/USB/PCIe Drivers Not Installed on Windows 10 or Windows Server 2022 Unless Device is Connected.
b.Connect the backup HSM directly to the Luna HSM Client workstation using the included USB cable.
NOTE On most Luna HSM Client computers, the USB port provides adequate power, and connecting the provided power supply is not recommended. Wait and confirm that the HSM boots properly. If the HSM fails to boot up:
1. Disconnect the HSM from the USB port.
2. Connect the HSM to power using the provided power supply. Wait for it to boot completely.
3. Reconnect the HSM to the USB port on the client.
If the HSM is connected to the USB port before the power supply, you may encounter an issue where the HSM occasionally loses contact with the client, and must be power cycled.
2.Launch LunaCM on the workstation that hosts the user and backup partition slots.
3.Identify the slots assigned to:
• The Luna PCIe HSM 7
•The Luna Backup HSM 7 admin slot (where all backups are stored).
lunacm:> slot list
If you cannot see both slots, check your connections or configure your client as required.
4.Select the Luna PCIe HSM 7
lunacm:> slot set -slot <slot_id>
5.Log in to the Luna PCIe HSM 7
lunacm:> role login -name co
6.Initiate backup of the Luna PCIe HSM 7
lunacm:> partition archive backup -slot <backup_hsm_admin_partition_slot_id> [-partition <target_backup_partition_label>] [-append] [-replace] [-smkonly]
If you omit the -partition option when creating a new backup, the backup is assigned a default name (<source_partition_name>_<YYYYMMDD>) based on the source HSM's internally-set time and date.
If you are backing up a V1 partition, include -smkonly to back up the SMK only. By default, the SMK and any encrypted cryptographic material on the partition are backed up.
The backup begins once you have completed the authentication process. Objects are backed up one at a time. For existing backups, you can use the following options to define how individual objects are backed up:
| -replace | Delete the target backup partition and replace it with a new backup with the same label, with the contents of the source |
| -append | Add only new objects to the existing backup. |
|
-append -replace |
Add new objects and replace existing objects that have the same OUID but a different fingerprint (such as would occur if any of the object attributes were changed since the previous backup). |
NOTE If the backup operation is interrupted (if the Backup HSM is unplugged, for example), the Backup HSM's full available space can become occupied with a single backup partition. If this occurs, delete the backup partition with lunacm:> partition archive delete before reattempting the backup operation.
7.You are prompted for the following (you can also enter these options on the command line, although doing so exposes the strings, whereas using the prompts obscures the strings):
a.The backup partition password. You will create a new password on the initial backup, and use the password for subsequent backups to the backup partition.
b.[If creating a new backup] The domain string for the backup partition. The domain must match the domain configured on the source
c.The backup HSM SO password. This is required to create or access the backup partition in the Admin slot.
Restoring to a Password-Authenticated Partition
You can restore the objects from a password-authenticated backup to the same
Prerequisites
>The backup and the
>You need the following credentials:
•The Crypto Officer password for the target
•The Crypto Officer password for the backup
>The following policies are set:
•HSM policy 16: Allow network replication must be set to 1 (ON) on the HSM that hosts the user partition.
•
•
To restore a password-authenticated partition
1.Configure your Luna HSM Client workstation as illustrated below:
a.Install the required client software on the Luna HSM Client workstation and start LunaCM. See Client Software Required to Perform Backup and Restore Operations for more information.
NOTE If you are installing Luna HSM Client on Windows, the driver may not be installed unless the Luna device is connected to the computer first; refer to Backup/USB/PCIe Drivers Not Installed on Windows 10 or Windows Server 2022 Unless Device is Connected.
b.Connect the backup HSM directly to the Luna HSM Client workstation using the included USB cable.
NOTE On most Luna HSM Client computers, the USB port provides adequate power, and connecting the provided power supply is not recommended. Wait and confirm that the HSM boots properly. If the HSM fails to boot up:
1. Disconnect the HSM from the USB port.
2. Connect the HSM to power using the provided power supply. Wait for it to boot completely.
3. Reconnect the HSM to the USB port on the client.
If the HSM is connected to the USB port before the power supply, you may encounter an issue where the HSM occasionally loses contact with the client, and must be power cycled.
2. Identify the slots assigned to:
• The Luna PCIe HSM 7 partition slot (to be restored).
•The Luna Backup HSM 7 admin slot (where all backups are stored).
lunacm:> slot list
If you cannot see both slots, check your connections or configure your client as required.
3.Select the Luna PCIe HSM 7 partition you want to restore to:
lunacm:> slot set -slot <slot_id>
4.Log in to the partition as Crypto Officer (CO):
lunacm:> role login -name co
5.List the available backups on the Backup HSM by specifying the Backup HSM's slot number. You will require the backup partition label to perform the restore operation.
lunacm:> partition archive list -slot <backup_HSM_slot>
6.Initiate the restore operation. Respond to the prompts to provide the required passwords, as detailed in the summary above.
lunacm:> partition archive restore -slot <backup_HSM_admin_slot> -partition <backup_partition_label> [-smkonly]
You are prompted for the Crypto Officer password for the backup. The restore operation begins once you have completed the authentication process. Objects are restored one at a time.
CAUTION! The -replace option is deprecated and has been removed in Luna HSM Client 10.7.0 and newer. If you wish to restore an earlier version of an object, Thales recommends deleting the object(s) manually before restoring the partition from backup.
Ensure that the target partition can receive objects from the backup HSM before deleting objects or using partition archive restore with the -replace option; the cloning protocol may prevent objects from being restored, even if LunaCM states that X objects will be restored. This may occur if HSM policy 55: Enable Restricted Restore was enabled on the Luna Backup HSM 7 since the original backup was taken.
NOTE If you are restoring a V1 backup to a V1 partition, include -smkonly to restore the SMK only (see Compare Behavior of Pre-Firmware 7.7, and V0, and V1 Partitions for more information). By default, the SMK and any encrypted cryptographic material on the backup are restored.
