Backing up a Keyset

Individual, HSM stored keysets can be backed up to a secure disk file or one or more smart cards. Backed up keysets can then be restored in the event of a tamper to the HSM or if the keysets are otherwise lost.

NOTE   Users are responsible for backing up their own keysets and the SafeNet ProtectToolkit-M device administrator is responsible for backing up the MACHINE and SYSTEM keysets.

A triple-DES BackupKey is used to encrypt each keyset prior to storage on a smart card. A different BackupKey is automatically created for each keyset when the keysets are created but these keys are not visible under normal SafeNet ProtectToolkit-M operation. A BackupKey for a keyset is derived from a combination of the password used to secure that particular keyset and the keyset name. In the case of the MACHINE and SYSTEM keysets, the device administrator’s password and the keyset name are used to derive the key. Thus to restore a keyset that was previously backed up, the same password and keyset name must be used.

Keyset backup and restore is accomplished with the command line utility ctkmu. Please refer to for the complete ctkmu reference.

Preparation

Prior to attempting a keyset backup, please ensure that you have:

>a valid keyset that can be backed up

>if backing up to smart cards, a smart card reader connected to the HSM, and

>sufficient smart cards or disk space to back up the required data.

Procedure

1.Obtain a listing of all keysets by executing ctkmu l from a command prompt.


2.Record the slot number for the keyset you wish to backup.

3.To backup a keyset to a file, from a command prompt, type the following, substituting the slot number of the keyset to backup for n and the name of the file to back up to for fileName:

ctkmu x –sn –wBackupKey filename
 

NOTE   When backing up the MACHINE_Keyset or the SYSTEM_Keyset, enter the default value password as the user password. The device administrator’s password and the keyset name will be used to derive the BackupKey in these instances.

Example

In the example below, the keyset on slot 0 will be securely encrypted using the key BackupKey (created from the user password for the keyset and the keyset name) and backed up to the disk file named MachineKeyset.bak. This operation will prompt for the user password for the keyset.

ctkmu x –s0 -wBackupKey MachineKeyset.bak
 



Customer Support Portal

SafeNet ProtectToolkit 5.5 Product Documentation  08 January 2020  Copyright 2009-2020 Gemalto. All rights reserved.