Partition Backup and Restore
Luna Network HSM 7 allows secure creation, storage, and use of cryptographic data (keys and other objects). It is critically important to safeguard your important cryptographic objects against unforeseen damage or data loss. No device can offer total assurance against equipment failure, physical damage, or human error. Therefore, a comprehensive strategy for making regular backups is essential. There are multiple ways to perform these operations, depending on your implementation.
This section contains the following information:
>Key Concepts for Backup and Restore Operations
•Credentials Required to Perform Backup and Restore Operations
•Client Software Required to Perform Backup and Restore Operations
•Multifactor Quorum Authentication with Luna Backup HSM 7 v1
>Planning Your Backup HSM Deployment
>Backup and Restore Best Practices
Luna Network HSM 7 can perform backup and restore operations using the legacy Luna Backup HSM G5, the updated Luna Backup HSM 7
Key Concepts for Backup and Restore Operations
A Crypto Officer (CO) can use the backup HSM to back up and restore the objects in any partition they can log in to, provided that:
>The
>The application partition and the backup HSM use the same authentication method (multifactor quorum or password).
> The CO has the required credentials on the backup HSM.
You can perform backup/restore operations on your application partitions by connecting the backup HSM to the Luna HSM Client workstation. When you connect the backup HSM to a Luna HSM Client workstation, the backup HSM Admin partition is added to the slots listed in LunaCM, allowing you to clone objects between the source application partition and the target backup partition.
NOTE To perform backup operations on Luna HSM Firmware 7.7.0 or newer (V0 or V1 partitions) you require at minimum:
>Luna Backup HSM 7 Firmware 7.7.1
>Luna Backup HSM G5 Firmware 6.28.0
You can use a Luna Backup HSM with older firmware to restore objects to a V0 or V1 partition, but this is supported for purposes of getting your objects from the older partitions onto the newer V0 or V1 partitions only. V0 and V1 partitions are considered more secure than partitions at earlier firmware versions - any attempt to restore from a higher-security status to lower-security status fails gracefully.
When the Luna Backup HSM is connected directly to the Luna Network HSM 7 appliance, only the SMK can be backed up from or restored to a V1 partition.
Backups are created and stored as partitions within the Admin partition on the backup HSM.
Credentials Required to Perform Backup and Restore Operations
You require the following credentials to perform backup/restore operations:
Luna Network HSM 7 | Remote PED (orange) PED key. Required for multifactor quorum-authenticated backups only, using a local or remote Luna Backup HSM 7 v1, or a remote Luna Backup HSM G5 or Luna Backup HSM 7 v2. |
Source Luna Network HSM 7 |
Crypto Officer (CO). Required to access the objects in the source Domain. Required to allow objects to be cloned between the source |
Target Backup HSM |
HSM Security Officer (SO). Required to create or access the target backup partition in the Admin slot, where all backups are archived. Remote PED (orange) PED key. Required for multifactor quorum-authenticated backups only, using a local or remote Luna Backup HSM 7 v1, or a remote Luna Backup HSM 7 v2 or Luna Backup HSM G5, to establish a remote PED connection to the HSM that hosts the target backup partition. Note: You create new credentials for both roles on HSM initialization, and use them for subsequent backups to the target backup HSM. |
Target Backup Partition |
Partition Security Officer (PO). Required to access the target backup partition on a Luna Backup HSM 7. Crypto Officer (CO). Required to access the objects in the target backup partition. Note: You create new credentials on the initial backup, and use them for subsequent backups to the target backup partition. |
Client Software Required to Perform Backup and Restore Operations
You must install the Luna HSM Client software and USB driver for the backup HSM on the workstation you intend to use to perform backup and restore operations. The Luna Backup HSM 7 v1 requires minimum Luna HSM Client 10.1.0. The Luna Backup HSM 7 v2 requires minimum Luna HSM Client 10.4.0. Refer to Luna HSM Client Software Installation.
NOTE Ensure that the backup HSM is not connected to the Luna HSM Client workstation when you install or uninstall the client software. Failure to do so may result in the backup HSM becoming unresponsive.
When you install the client software, you must select the following options:
>The Backup option. This installs the driver for the backup HSM and components required for the Remote Backup Service (RBS).
>The USB option. This installs the driver for the backup HSM.
>The Network and/or PCIe options, depending on which type of HSM you intend to back up.
>The Remote PED option, if you want to back up multifactor quorum-authenticated partitions. Note that you can install and use a remote PED on the same workstation used to host the backup HSM, or on a different workstation. This option is mandatory for the Luna Backup HSM 7 v1, but a local PED connection can be used for the Luna Backup HSM 7 v2 or Luna Backup HSM G5.
Multifactor Quorum Authentication with Luna Backup HSM 7 v1
The Luna Backup HSM 7 v1 is equipped with a single USB port that is used to connect the backup HSM to a Luna HSM Client workstation
Planning Your Backup HSM Deployment
When setting up your backup deployment, you have multiple configuration options. This section will help you choose the right configuration, depending on where you prefer to keep your backups. You can use a Luna Backup HSM
Backup and restore operations require that cloning be enabled.
>Client Software Required to Perform Backup and Restore Operations
>Backup HSM Installed Using Remote Backup Service
Partition to Partition
You can clone objects from any Luna 7 application partition to any other Luna 7 partition that shares its cloning domain. You must have the Crypto Officer credential for both partitions.
See Cloning Objects to Another Application Partition.
Backup to Luna Cloud HSM
You can securely back up the contents of any password- or multifactor quorum-authenticated Luna 7 partition to a Luna Cloud HSM service.
See Cloning Objects to Another Application Partition.
Backup HSM Connected to the Client Workstation
In this configuration, the Luna Backup HSM is connected to a USB port on the client workstation. It is useful in deployments where the partition Crypto Officer keeps backups at the client. This allows you to perform backup/restore operations for all application partitions that appear as visible slots in LunaCM. You can restore a partition backup to the original source partition or to another existing Luna application partition that shares the same cloning domain.
Depending on your Luna Backup HSM and Luna HSM Client version, refer to:
Backup HSM Connected to the Luna Network HSM 7 Appliance
In this configuration, the Luna Backup HSM is connected to a USB port on the Luna Network HSM 7 appliance. It is useful in deployments where the partition Crypto Officer has admin-level access to LunaSH on the appliance. This allows you to perform backup/restore operations for all application partitions that appear in LunaSH using partition list. You can restore a partition backup to the original source partition or to another existing Luna application partition that shares the same cloning domain.
Depending on your Luna Backup HSM and Luna Appliance Software version, refer to:
Backup HSM Installed Using Remote Backup Service
In this configuration, the Luna Backup HSM is connected to a remote client workstation that communicates with the Luna Network HSM 7 client via the Remote Backup Service (RBS). It is useful in deployments where backups are stored in a separate location from the Luna Network HSM 7, to mitigate the consequences of catastrophic loss (fire, flood, etc).
Refer to Configuring a Remote Backup Server.
Backup and Restore Best Practices
To ensure that your data is protected in the event of a failure or other catastrophic event, Thales recommends that you use the following best practices as part of a comprehensive backup strategy:
CAUTION! Failure to develop and exercise a comprehensive backup and recovery plan may prevent you from being able to recover from a catastrophic event. Although Thales provides a robust set of backup hardware and utilities, we cannot guarantee the integrity of your backed-up key material, especially if stored for long periods. Thales strongly recommends that you exercise your recovery plan at least semi-annually (every six months) to ensure that you can fully recover your key material.
Develop and document a backup and recovery plan
This plan should include the following:
>What is being backed up
>The backup frequency
>Where the backups are stored
>Who is able to perform backup and restore operations
>Frequency of exercising the recovery test plan
Make multiple backups
To ensure that your backups are always available, build redundancy into your backup procedures.
Use off-site storage
In the event of a local catastrophe, such as a flood or fire, you might lose both your working HSMs and locally-stored backup HSMs. To fully protect against such events, always store a copy of your backups at a remote location.
Regularly exercise your disaster recovery plan
Execute your recovery plan at least semi-annually (every six months) to ensure that you can fully recover your key material. This involves retrieving your stored Backup HSMs and restoring their contents to a test partition, to ensure that the data is intact and that your recovery plan works as documented.