SKS Backup and Restore
On this page:
•Constraints on SKS Backup and Restore
•Backup the SKS Master Key (SMK)
•Restore an SKS Master Key (SMK)
•Troubleshooting SKS Backup and Restore
As described, the partition permanently stores the SKS Master Key (SMK) from the time of its creation when the partition is created. The application partition is intended :
>to create encryption keys as session objects
>to encrypt those keys with the SMK, for SKS extraction from the HSM
>to extract those encrypted keys, as encrypted SKS blobs, for storage by your application, external to the cryptographic module
>to temporarily SKS insert (decrypt) blobs to make individual keys available for crypto operations within the partition
>to use the decrypted key
•to sign or seal documents and other digital objects, using the inserted key as a personal or organization identity, or
•to encrypt data (records) for your external database, archive, cloud, or other repository, or
•decrypt and modify such records before re-encrypting them to go back into your repository.
Therefore, it is not intended that objects other than the SMK be stored in the SKS partitions; however, you can do so if you wish, up to the limits of the partition capacity.
Using Luna HSM Firmware 7.7.0 and newer, SMKs are replicated (for HA) or are backed up and restored using cloning. All other objects are treated as SKS objects and are encrypted/decrypted by the SMK for extraction and [re-]insertion as needed.
Constraints on SKS Backup and Restore
SKS Backup and Restore are intended to redundantly safeguard the SMK, only. The following conditions and constraints apply :
>The SMK is not visible as a partition object, and does not appear in list output.
>Backing up and restoring the SMK uses the same commands as backing up and restoring ordinary cryptographic objects.
>SKS Backup and Restore require a Backup HSM with Luna Backup HSM G5 Firmware 6.28.0 or Luna Backup HSM 7 Firmware 7.7.1 (or newer).
>SKS Backup and Restore is supported only when the currently selected slot is an SKS partition (V1).
>Individual SKS blobs are limited to 64KB in size. Large groups of keys, or larger data objects might need to be split across multiple blobs for extraction or insertion.
>The partition archive backup and partition archive restore commands test the currently selected slot to ensure it is an SKS-capable (V1) partition.
>If the current slot is an SKS partition, then the partition archive commands perform backup or restore of the SMK, and ignore any other objects.
TIP The assumption is that since any extracted SKS blobs are solidly encrypted and remain within the assurance boundary, they can be safely stored in any repository. There is no need to store such blobs in another crypto-capable HSM partition, nor in a Backup HSM partition (though you could do the latter by storing as data objects, if desired) - they can be decrypted and used only by SKS insertion into an HSM partition that contains the relevant SMK.
If you invoked scalable key storage (SKS) for your applications to create and store large numbers of keys, then the partition is V1. If you perform cloning operations (including HA) or Backup and Restore, see Cloning or Backup / Restore with SKS.
Backup the SKS Master Key (SMK)
The SMK backup operation creates a new partition on the backup HSM, using a partition name that is automatically created at the time of the backup operation. The system ensures that the archive partition name does not already exist on the Backup HSM by creating the target partition with a unique name that combines
•the serial number of the source partition (from your Network HSM)
with
•a time stamp.
To back up the SMK, do the following:
1.Have a Backup HSM connected to the client workstation from which you are running the command, or have a Backup HSM connected through a Remote Backup Server (see Configuring a Remote Backup Server). The Backup HSM must be visible as a slot.
2.Launch the lunacm utility.
3.Use slot list to determine the slot numbers of the SKS partition and of the Backup HSM.
4.Set the SKS partition as the current slot.
lunacm:> slot set -slot 4 Command Result : No Error
5.Log into the current slot as Crypto Officer.
lunacm:> role login -name Crypto Officer Please attend to the PED. Command Result : No Error
6.Use partition archive backup to backup the SMK from the current slot to the indicated Backup HSM.
NOTE Do not name the target partition to be created on the Backup HSM, because SKS backup creates the name from the serial number of the source partition, combined with a time-stamp.
lunacm:>partition archive backup -slot 5 You are backing up a SKS partition. Only the SKS master key (SMK) will be backed up. No other objects will be cloned. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now ->proceed Logging in as the SO on slot 5. Please attend to the PED. Creating partition 358628973182_2017:03:09-16:52:47 on slot 5. Please attend to the PED. Logging into the container 358628973182_2017:03:09-16:52:47 on slot 5 as the user. Please attend to the PED. Creating Domain for the partition 358628973182_2017:03:09-16:52:47 on slot 5. Please attend to the PED. The SMK was cloned successfully. Command Result : No Error
7.You can test the success by
a.creating and initializing a V1 test partition on any HSM with Luna HSM Firmware 7.7.0 or newer,
b. restoring the backed-up SMK onto that test partition, and
c.successfully importing an SKS blob (that was previously extracted using the specific SMK) into that partition.
Restore an SKS Master Key (SMK)
To restore the SMK from backup, follow these steps.
CAUTION! When you restore an SMK from a Backup HSM, that restored SMK overwrites (destroys) any SMK that was already present on the partition. If the current SMK has been used to encrypt any important keys, ensure that you have backed it up safely before restoring a different SMK over it.
Also be sure to record the particulars of that backup, including the backup partition name and some notes to identify which keys have been encrypted by the SMK archived in that partition, for future reference.
1.Have a Backup HSM connected to the client workstation from which you are running the command, or have a Backup HSM connected through a Remote Backup Server (see Configuring a Remote Backup Server). The Backup HSM must be visible as a slot.
2.Launch the lunacm utility.
3.Use slot list to determine the slot numbers of the SKS partition and of the Backup HSM.
4.Set the SKS partition as the current slot.
lunacm:> slot set -slot 4 Command Result : No Error
5.Log into the current slot as Crypto Officer.
lunacm:> role login -name Crypto Officer Please attend to the PED. Command Result : No Error
6.Use partition archive restore to restore the SMK from the current slot to the indicated Backup HSM, naming the partition with the desired SMK,on the Backup HSM.
lunacm:>partition archive restore -slot 5 -partition 358628973182_2017:03:09-16:52:47 You are restoring a SKS partition. Only the SKS master key (SMK) will be restored. No other objects will be cloned. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now ->proceed Logging in to partition 358628973182_2017:03:09-16:52:47 on slot 5 as the user. Please attend to the PED. The SMK was cloned successfuly. Command Result : No Error
7.You could test the success by restoring the SMK to a test partition, and successfully importing an SKS object that was previously exported, encrypted with that SMK.
Backup objects
In most cases, only the SMK needs preserving, and any crypto objects on the SKS partition are just passing through (as temporary session objects), so there is no provision to backup crypto objects from an SKS partition. It is possible to store SKS blobs, but only as data objects, not as crypto objects. Therefore, to use them in any way, they must be inserted back into a V1 partition that has the correct SMK in either the Primary SMK location or the Rollover SMK location.
The Backup HSM can support a mix of
>SKS-only archive partitions that each can contain a single SMK, and
>ordinary cloning-backup partitions that each can contain multiple crytographic objects for traditional cloning-based (non-SKS) HSM backup and restore operations.
In other words,
>you can use an SKS client to backup crypto objects
•from a non-SKS partition
•into a non-SKS archive partition on the Backup HSM)
> you can restore crypto objects
•from a non-SKS archive partition on the Backup HSM
•to a regular cloning-based (non-SKS) HSM partition.
>you cannot restore ordinary objects onto an SKS partition; they must be SKS inserted (siminsert API call.)
Troubleshooting SKS Backup and Restore
The following are some examples that highlight incorrect usage, along with the communication from the system.
Not logged into partition at current slot
Here is an example of the output if you attempt to use the partition archive command without logging in as "Crypto Officer" on the SKS partition slot, which must be the current slot.
NOTE "-slot 5" in the example points to the Backup HSM slot, not the current SKS partition slot.
lunacm:>partition archive backup -slot 5 You are backing up a SKS partition. Only the SKS master key (SMK) will be backed up. No other objects will be cloned. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now ->proceed Error: Failed to open session. Command Result : 0xb0 (CKR_SESSION_CLOSED)
An incorrect option is specified for backup
In this example, the command fails because the "-partition" option is not applicable for SKS backup:
lunacm:>partition archive backup -slot 5 -partition test You are backing up a SKS partition. Only the SKS master key (SMK) will be backed up. No other objects will be cloned. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now ->proceed Syntax Error: Option -partition cannot be used for SKS operation. Command Result : No Error
Archive contains crypto objects
If the backup partition to be restored contains crypto objects and SKS backup is being performed, restore of the SMK proceeds with a warning.
lunacm:> par ar r -s 5 -par pre-7-7 You are restoring an SKS partition. Only the SKS master key (SMK) will be restored. CAUTION: The existing SMK will be overwritten. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now -> proceed Logging in to partition mypar on slot 5 as the user. Please attend to the PED. WARNING: Crypto object(s) detected in the backup device container. Dedicated backup container for SKS Master key is recommended. The SMK was cloned successfully. Command Result : No Error