partition smkclone
Clone the Scalable Key Storage Masking Key (SMK) from the current slot to the target slot.
Always back up any SMK that you have created (with partition archive backup to an SKS Backup HSM), before performing an action that would overwrite that SMK, like partition smkClone or like partition archive restore from an SKS partition on an SKS Backup HSM. Failure to do so risks permanently losing any objects that are encrypted with that original SMK.
CAUTION! This command overwrites the SMK in the target partition with the SMK from the source. If you have exported any objects using a particular SMK, that SMK must be backed up to a Backup HSM before you overwrite it with smkclone, or those exported objects become unusable and can never be recovered.
An SMK secret that is cloned from a source V1 HSM partition to a target V1 partition overwrites any pre-existing V1 SMK on the target partition. SMK secrets cloned from V0 partitions do not overwrite V1 SMK secrets, but are stored separately.
If you invoked scalable key storage (SKS) for your applications to create and store large numbers of keys, then the partition is V1. If you perform cloning operations (including HA) or Backup and Restore, see Cloning or Backup / Restore with SKS.
The following table shows possible migration paths for existing SMKs -- the leftmost column is possible sources, while the heading row across the top lists possible destinations, and the intersecting table cells are the possible result for each source-to-destination scenario.
|
|
|
|
|
|
|
||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
FW6 SKS appliance | FW6 SMKs | FW6 SMKs | FW6 SMKs | No SMK support on target | Target has FM cert only | FW6 SMKs | ||||||||||||||
FW6 SKS G5 Backup (6.25) | FW6 SMKs | FW6 SMKs | FW6 SMKs | No SMK support on target | Target has FM cert only | FW6 SMKs | ||||||||||||||
FW7.7 eIDAS G5 Backup (6.28) | FW6 SMKs | FW6 SMKs | All SMKs (cloning protocol used by V1 partitions) | No SMK support on source/target | All SMKs (cloning protocol used by V1 partitions) | All SMKs (cloning protocol used by V1 partitions) | ||||||||||||||
FW<7.7 HSM | No SMK support on source | No SMK support on source | No SMK support on source | No SMK support on target | No SMK support on source | No SMK support on source | ||||||||||||||
FW7.7 FM HSM | Source has FM cert only | Source has FM cert only | All SMKs (cloning protocol used by V1 partitions) | No SMK support on target | All SMKs (cloning protocol used by V1 partitions) | All SMKs (FW7.7-Primary -> FW7.7-FM, FW7.7-Rollover dropped) (V1 partition) | ||||||||||||||
FW7.7 Non-FM SKS HSM | Required cloning protocol not on target | Required cloning protocol not on target | All SMKs (cloning protocol used by V1 partitions) | No SMK support on target | Blocked by V1 cloning protocol | All SMKs (cloning protocol used by V1 partitions) |
( FW>=7.7 means Luna HSM Firmware 7.7.0 or newer)
NOTE If a remote partition is involved (Network HSM) on either side of the SMK cloning operation, the HSM that contains the remote partition must have Network Replication enabled. See HSM Capabilities and Policies "Policy 16 - Allow network replication".
Syntax
partition smkClone -slot <slot number> [-force] -password <password>
Argument | Shortcut | Description |
---|---|---|
-force | -f | Force the action without prompting for confirmation (useful when scripting commands). |
-password <password> | -p | Password of the target slot. |
-slot <number> | -sl | Target slot to which the source SMK is to be cloned (overwriting any SMK that might already be in the target slot). |
Example
lunacm:> partition smkclone -slot 4 -password $ome-Pa55word Logging in to target slot 4 Cloning the SMK. The SMK was cloned successfully. Command Result : No Error