Backing up a Keyset
Individual, HSM stored keysets can be backed up to a secure disk file or one or more smart cards. Backed up keysets can then be restored in the event of a tamper to the HSM or if the keysets are otherwise lost.
NOTE Users are responsible for backing up their own keysets and the ProtectToolkit-M device administrator is responsible for backing up the MACHINE and SYSTEM keysets.
A triple-DES BackupKey is used to encrypt each keyset prior to storage on a smart card. A different BackupKey is automatically created for each keyset when the keysets are created but these keys are not visible under normal ProtectToolkit-M operation. A BackupKey for a keyset is derived from a combination of the password used to secure that particular keyset and the keyset name. In the case of the MACHINE and SYSTEM keysets, the device administrator’s password and the keyset name are used to derive the key. Thus to restore a keyset that was previously backed up, the same password and keyset name must be used.
NOTE You cannot backup ProtectToolkit-M FIPS mode keysets. If your organization requires you to use FIPS mode tokens we recommend securing your keyset using an NofM schema. See the Key Splitting Scheme Selection for more information about NofM.
Keyset backup is accomplished with the command line tool ctkmu or the GUI tool kmu. Both the ctkmu utility and the kmu utility are included in the ProtectToolkit-C package. See ctkmu and the Key Management Utility (KMU) Reference for more information about these utilities.
See Key Backup Procedure for example procedures and more information.