Backup/Restore Using Luna Backup HSM G5

You can connect the Luna Backup HSM G5 to a USB port on the client workstation. This configuration allows you to perform backup/restore operations for all application partitions that appear as visible slots in LunaCM. It is useful in deployments where the partition Crypto Officer wants to keep backups at the client. You can restore a partition backup to the original source partition or to another existing Luna application partition that shares the same cloning domain.

This section provides instructions for the following procedures using this kind of deployment:

>Initializing the Luna Backup HSM G5

>Backing Up an Application Partition

>Restoring an Application Partition from Backup

NOTE   To perform backup operations on Luna HSM Firmware 7.7.0 or newer (V0 or V1 partitions) you require at minimum:

>Luna Backup HSM 7 Firmware 7.7.1

>Luna Backup HSM G5 Firmware 6.28.0

You can use a Luna Backup HSM with older firmware to restore objects to a V0 or V1 partition, but this is supported for purposes of getting your objects from the older partitions onto the newer V0 or V1 partitions only. V0 and V1 partitions are considered more secure than partitions at earlier firmware versions - any attempt to restore from a higher-security status to lower-security status fails gracefully.

NOTE   The size of the partition header is different for a Luna USB HSM 7 partition and its equivalent backup partition stored on a Luna Backup HSM G5. As a result, the value displayed in the Used column in the output of the partition list command (for the backed-up Luna USB HSM 7 partition) is different than the value displayed in the Used column in the output of the token backup partition list command (for the backup partition on the Backup HSM).

Initializing the Luna Backup HSM G5

Before you can use the Luna Backup HSM G5 to back up your partition objects, it must be initialized. This procedure is analogous to the standard HSM initialization procedure.

Prerequisites

>Install the Luna Backup HSM G5 at the client and connect it to power (see Installing the Luna Backup HSM G5).

>Ensure that the Backup HSM is not in Secure Transport Mode and that any tamper events are cleared (see Recovering From a Tamper Event or Secure Transport Mode).

>[Multifactor Quorum Authentication] Ensure that you have enough blank or rewritable blue and red iKeys available for your desired authentication scheme.

[Local PED] Connect the Luna PED using a 9-pin Micro-D to Micro-D cable. Set the PED to Local PED-SCP mode.

[Remote PED] Initialize the Backup HSM RPV (see Initializing the Luna Backup HSM G5 Remote PED Vector). You require the orange iKey.

[Remote PED] Set up a Remote PED server to authenticate the Luna Backup HSM G5.

To initialize a client-connected Luna Backup HSM G5

1.Launch LunaCM on the client workstation.

2.Set the active slot to the Luna Backup HSM G5.

lunacm:> slot set -slot <slotnum>

3.[Remote PED] Connect the Luna Backup HSM G5 to the Remote PED server.

lunacm:> ped connect -ip <PEDserver_IP> -port <portnum>

4.Initialize the Luna Backup HSM G5, specifying a label and the method of authentication (-initwithped or -initwithpwd). You must initialize the HSM with the same authentication method as the partition(s) you plan to back up.

lunacm:> hsm init -label <label> {-initwithped |-initwithpwd}

You are prompted to set an HSM SO credential and cloning domain for the Backup HSM.

NOTE    After initializing a client-connected Luna Backup HSM G5 to use PED authentication, the HSM erroneously requests a password to log in with any role. This issue occurs when Luna HSM Client 10.3.0 or newer is used with HSM firmware 6.10.9 or older.

Workaround: Press ENTER to bypass the password prompt, and present the iKey as usual. Alternatively, use an older client or upgrade to Luna Backup HSM G5 Firmware 6.24.7 or newer to avoid this.

Backing Up an Application Partition

You can use LunaCM to back up the contents of an application partition to the client-connected Luna Backup HSM G5. You can use this operation to create a backup on the Backup HSM, or add objects from the source partition to an existing backup.

Prerequisites

>The Luna Backup HSM G5 must be initialized (see Initializing the Luna Backup HSM G5).

>The following policies are set:

HSM policy 16: Allow network replication must be set to 1 (ON) on the HSM that hosts the user partition.

[V0 partitions] Partition policy 0: Allow private key cloning is set to 1 (ON) on the user partition.

[V0 partitions ] Partition policy 4: Allow secret key cloning is set to 1 (ON) on the user partition.

>You must have the Crypto Officer credential (black iKey) and domain (red iKey) for the source partition.

>You must have the Backup HSM SO credential (blue iKey).

>[Multifactor Quorum Authentication] This procedure is simpler if the source partition is activated (see Activation on Multifactor Quorum-Authenticated Partitions), since you require a Luna PED only for the Backup HSM.

[Local PED] Connect the PED to the Backup HSM using a 9-pin Micro-D to Micro-D cable.

[Remote PED] You must have the orange iKey for the Backup HSM (see Initializing the Luna Backup HSM G5 Remote PED Vector). If the source partition is not activated, you may need the orange iKey for the Luna USB HSM 7 as well.

[Remote PED] Set up Remote PED on the workstation you plan to use for multifactor quorum authentication. If the partition is not activated, you must connect to PEDserver with ped connect before logging in, and disconnect with ped disconnect before initiating the backup.

If you invoked scalable key storage (SKS) for your applications to create and store large numbers of keys, then the partition is V1. If you perform cloning operations (including HA) or Backup and Restore, see Backup/Restore and SKS.

To back up an application partition to a client-connected Luna Backup HSM G5

1.Launch LunaCM on the client workstation.

2.Set the active slot to the source partition and log in as Crypto Officer.

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name co

3.[Multifactor Quorum Authentication] Connect the Luna Backup HSM G5 to the Luna PED.

[Local PED] Set the mode on the Luna PED to Local PED-SCP.

[Remote PED] Connect the Luna Backup HSM G5 slot to PEDserver.

lunacm:> ped connect -slot <Backup_HSM_slotnum> -ip <PEDserver_IP> -port <portnum>

4.Back up the partition, specifying the Luna Backup HSM G5 slot and a label for the backup (either a new or existing label). If you specify an existing backup label, include the -append option to add only new objects to the backup (duplicate objects will not be cloned). By default, the existing backup will be overwritten with the current contents of the source partition.

lunacm:> partition archive backup -slot <Backup_HSM_slotnum> [-partition <backup_label>] [-append] [-replace] [-smkonly]

If you omit the -partition option when creating a new backup, the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>) based on the source HSM's internally-set time and date.

If you are backing up a V1 partition, include -smkonly to back up the SMK only. By default, the SMK and any encrypted cryptographic material on the partition are backed up.

The backup begins once you have completed the authentication process.

Objects are backed up one at a time. For existing backups, you can use the following options to define how individual objects are backed up:

-append Add only new objects to an existing backup.
-replace Delete the existing objects in a target backup partition and replace them with the contents of the source user partition. This is the default.
-append -replace Add new objects and replace existing objects that have the same OUID but a different fingerprint (such as would occur if any of the object attributes were changed since the previous backup).

You are prompted to present or set the following credentials:

[Remote PED] Backup HSM Remote PED vector (orange iKey)

Backup HSM SO (password or blue iKey)

Crypto Officer (password or black iKey) for the backup (can be the same as the source partition)

Cloning domain (string or red iKey) for the backup (must be the same as the source partition)

The partition contents are cloned to the backup.

5.[Remote PED] Disconnect the Backup HSM from PEDserver.

lunacm:> ped disconnect

Restoring an Application Partition from Backup

You can use LunaCM to restore the contents of a backup to the original application partition, or any other Luna application partition that shares the same cloning domain.

Prerequisites

>The target partition must be initialized with the same cloning domain as the backup partition.

>The following policies are set:

HSM policy 16: Allow network replication must be set to 1 (ON) on the HSM that hosts the user partition you want to restore to.

[V0 partitions ] Partition policy 0: Allow private key cloning is set to 1 (ON) on the user partition you want to restore to.

[V0 partitions ] Partition policy 4: Allow secret key cloning is set to 1 (ON) on the user partition you want to restore to.

>You must have the Crypto Officer credentials for the backup partition and the target partition.

>[Multifactor Quorum Authentication] This procedure is simpler if the application partition is activated (see Activation on Multifactor Quorum-Authenticated Partitions), since you require a Luna PED only for the Backup HSM.

[Local PED] Connect the PED to the Backup HSM using a 9-pin Micro-D to Micro-D cable.

[Remote PED] Set up Remote PED on the workstation you plan to use for multifactor quorum authentication. If the partition is not activated, you must connect to PEDserver with ped connect before logging in, and disconnect with ped disconnect before initiating the backup.

To restore the contents of a backup to an application partition

1.Launch LunaCM on the client workstation.

2.Set the active slot to the target partition and log in as Crypto Officer.

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name co

3.[PED Authentication] Connect the Luna Backup HSM G5 to the Luna PED.

[Local PED] Set the mode on the Luna PED to Local PED-SCP.

[Remote PED] Connect the Luna Backup HSM G5 slot to PEDserver.

lunacm:> ped connect -slot <Backup_HSM_slotnum> -ip <PEDserver_IP> -port <portnum>

4.[Optional] Display the available backups by specifying the Luna Backup HSM G5 slot. Each available backup also appears as a slot in LunaCM.

lunacm:> partition archive list -slot <Backup_HSM_slotnum>

5.[Optional] Display the contents of a backup by specifying the Luna Backup HSM G5 slot and the backup partition label in LunaCM.

lunacm:> partition archive contents -slot <backup_slotnum> -partition <backup_label>

6.Restore the partition contents, specifying the Luna Backup HSM G5 slot and the backup you wish to use. By default, duplicate backup objects with the same OUID as objects currently existing on the partition are not restored.

If you have changed attributes of specific objects since your last backup and you wish to revert these changes, include the -replace option.

If you are restoring a V1 partition and you only want to restore the SMK, include the -smkonly option.

lunacm:> partition archive restore -slot <Backup_HSM_slotnum> -partition <backup_label> [-replace] [-smkonly]

You are prompted for the backup's Crypto Officer credential.

The backup contents are cloned to the application partition.