Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

SafeNet IDPrime Virtual HSM Integration

HSM Deployment Recommendations

search

HSM Deployment Recommendations

Data protection holds prime importance for critical business applications. The inappropriate use of the Hardware Security Module (HSM) Server can lead to loss of data, refer to SafeNet Luna HSM Guide.

Recommendations

  • Configure the HSM Server for backup in case of hardware failure.
  • Backup the contents of Luna SA HSM and HSM partitions.

If the important objects are static, then a single backup is sufficient. However, if important objects change frequently or if it is important to revert to date, time, condition, or context, then regular backups are necessary.

Backup HSM: Luna HSM Backup is performed with Luna Remote Backup HSM. Here, the word ‘Remote’ in the product name denotes "capability". Luna Remote Backup HSM works fine as the local backup device for Luna HSM, and is the only device supported for local or remote backup of Luna SA.

The options to backup primary or source Luna HSMs are:

  • Local backup of Luna HSM, where all components are co-located: This is a common scenario with all Luna HSMs, but applies to direct connect, local to the client HSMs, such as Luna PCI-E. However, it does not apply to Luna SA because it resides in a server rack away from its administrators.

  • Local backup of Luna SA, where Luna SA is located remotely from a computer that has Luna Backup HSM: This is the possible scenario with Luna SA, and requires that the administrator performing backup must have client authentication access to all Luna SA partitions.

  • Remote backup of Luna HSM, where Luna HSM is located remotely from the computer that has Luna Backup HSM: This scenario ensures that the administrator of Luna Backup HSM host computer must connect through SSH or RDP to the clients of each HSM partition that needs to be backed up.

The client performs the backup or restore under remote direction. In local mode, you connect directly to Luna SA through the USB. This means that for a local backup, the HSM appliance is located on a local computer for backup irrespective of the administrator. For remote backup, you connect through USB to a computer running vtl and driver for the device.

Backup and restore are then performed over a secure network connection. For PED authenticated Luna SA; to perform backup between the HSMs, you must have a copy of the appropriate red (domain) PED keys from the Luna SA to use with Backup HSM. For more information, refer to Luna HSM Installation Guide.

HSM Scalable Key Storage

IDPV Server V2.3 supports HSM Scalable Key Storage (SKS) mode.

SKS is a virtual secure storage handling your sensitive keys. SKS is based upon a model where keys generated on the HSM are securely extracted as encrypted SKS objects and reinserted into the HSM when cryptographic operations are performed with those keys.

For more information, refer to HSM SKS Documentation.

On this page