partition smkclone

Clone the Scalable Key Storage Masking Key (SMK) from the current slot to the target slot.

Always back up any SMK that you have created (with partition archive backup to an SKS Backup HSM), before performing an action that would overwrite that SMK, like partition smkClone or like partition archive restore from an SKS partition on an SKS Backup HSM. Failure to do so risks permanently losing any objects that are encrypted with that original SMK.

CAUTION!   This command overwrites the SMK in the target partition with the SMK from the source. If you have exported any objects using a particular SMK, that SMK must be backed up to a Backup HSM before you overwrite it with smkclone, or those exported objects become unusable and can never be recovered.

An SMK secret that is cloned from a source V1 HSM partition to a target V1 partition overwrites any pre-existing V1 SMK on the target partition. SMK secrets cloned from V0 partitions do not overwrite V1 SMK secrets, but are stored separately.

If you invoked scalable key storage (SKS) for your applications to create and store large numbers of keys, then the partition is V1. If you perform cloning operations (including HA) or Backup and Restore, see Cloning or Backup / Restore with SKS.

The following table shows possible migration paths for existing SMKs -- the leftmost column is possible sources, while the heading row across the top lists possible destinations, and the intersecting table cells are the possible result for each source-to-destination scenario.

Destination

Source
FM6 SKS appliance
 
FW6 SKS G5 Backup (6.25)
 
FW7.7 eIDAS G5 Backup (6.28)
 
FW<7.7 HSM
 
FW>=7.7
 
FM HSM FW>=7.7 Non-FM HSM
 
FW6 SKS appliance FW6 SMKs FW6 SMKs FW6 SMKs No SMK support on target Target has FM cert only FW6 SMKs
FW6 SKS G5 Backup (6.25) FW6 SMKs FW6 SMKs FW6 SMKs No SMK support on target Target has FM cert only FW6 SMKs
FW7.7 eIDAS G5 Backup (6.28) FW6 SMKs FW6 SMKs All SMKs (cloning protocol used by V1 partitions) No SMK support on source/target All SMKs (cloning protocol used by V1 partitions) All SMKs (cloning protocol used by V1 partitions)
FW<7.7 HSM No SMK support on source No SMK support on source No SMK support on source No SMK support on target No SMK support on source No SMK support on source
FW7.7 FM HSM Source has FM cert only Source has FM cert only All SMKs (cloning protocol used by V1 partitions) No SMK support on target All SMKs (cloning protocol used by V1 partitions) All SMKs (FW7.7-Primary -> FW7.7-FM, FW7.7-Rollover dropped) (V1 partition)
FW7.7 Non-FM SKS HSM Required cloning protocol not on target Required cloning protocol not on target All SMKs (cloning protocol used by V1 partitions) No SMK support on target Blocked by V1 cloning protocol All SMKs (cloning protocol used by V1 partitions)

( FW>=7.7 means Luna HSM Firmware 7.7.0 or newer)

NOTE   If a remote partition is involved (Network HSM) on either side of the SMK cloning operation, the HSM that contains the remote partition must have Network Replication enabled. See HSM Capabilities and Policies "Policy 16 - Allow network replication".

Syntax

partition smkClone -slot <slot number> [-force] -password <password>

Argument Shortcut Description
-force -f Force the action without prompting for confirmation (useful when scripting commands).
-password <password> -p Password of the target slot.
-slot <number> -sl Target slot to which the source SMK is to be cloned (overwriting any SMK that might already be in the target slot).

Example

lunacm:> partition smkclone -slot 4 -password $ome-Pa55word
Logging in to target slot 4

Cloning the SMK.

The SMK was cloned successfully.
Command Result : No Error