Backup and restore with LunaSA

Contents

3.7.5. Backup and restore with LunaSA#

You need to backup the contents of the partition you are using.

With the LunaSA you need a backup token, which in turn is an HSM itself. This is why you need the following cloning policies enabled:

Cloning HSM:

hsm changePol -p 7 -v1

Secret Key Cloning per partition:

partition changePol -pa yourPartition -po 4 -v1

Backup#

Insert the Backup-Token into the lower slot.

Issue the command:

hsm login

Then start the backup procedure:

partition backup -partition HSMPartitionname -password ClientPassword

Note

During the backup procedure the backup token (which in turn is an HSM) gets its own blue and black key. But you can also use the same keys you where using for the original partition on the HSM. The same red Domain-Key must be used.

Note

You can only backup one partition to a backup token.

Issuing the backup command will result in the following output:

CAUTION:  Are you sure you wish to initialize the backup
       token named:
         no label
       Type 'proceed' to continue, or 'quit' to quit now.
       > proceed
Luna PED operation required to initialize backup token - use Security Officer (blue) PED key.

Luna PED operation required to login to backup token - use Security Officer (blue) PED key.

Luna PED operation required to generate cloning domain on backup token - use Domain (red) PED key.

Luna PED operation required to generate partition backup space on token - use User or Partition Owner
(black) PED key.

Luna PED operation required to login to partition backup space on token - use User or Partition Owner
(black) PED key.

Then the objects that are being backed up are listed.

Warning

During the backup process the handles of the keys may change. So you should also memorize and record the labels of the keys, since during restore the keys might get restored to other handles!

Restore#

In case of recovering a broken HSM or in case of setting up a HA solution, you need to restore the data. You need to login to the HSM and create a new partition with the same name as the old one:

hsm login

partition create -par yourOldPartition

Note

You can reuse the existing black partition owner key

Again you need to set the partition policies:

partition changePolicy -par testCA -pol 22 -v 1
partition changePolicy -par testCA -pol 23 -v 1

Finally insert the backup token into the lower slot of the HSM and start the restore process:

partition restore -par yourOldPartition -password /RMF-At5F-p6XJ-HR64 -replace

       > proceed
Luna PED operation required to login to partition backup space on token - use User or Partition Owner (black) PED key.

Luna PED operation required to activate partition on HSM - use User or Partition Owner (black) PED key.

Note

If this is a new machine, then of course you need to setup the trust link with the clients anew.

Note

In case you need to recover a failed member, use the command haadmin -recover.