Cloning Objects to Another Application Partition

You can back up partition objects from an application partition to any other partition that shares its cloning domain. The Crypto Officer of both partitions can perform this operation using LunaCM.

TIP   The various ways you might use cloning

>Basic cloning partition-to-partition This page talks about generically performing cloning procedures with the explicit cloning commands partition clone.

>Key migration In cases where you are looking to bring your important keys and objects from application partitions on older Luna HSMs to more modern HSMs or to HSMs with equivalent hardware, but with more recent firmware versions, then you might prefer to refer to the page: Migrating Keys to Your New HSM. The underlying cloning operations are the same, but the emphasis and discussion are more oriented to the migration task, and cover some activities and caveats not addressed here.

>Backup and Restore Similarly, the backup and restore operations (to and from dedicated backup HSMs), for offline storage, employ dedicated commands that nevertheless invoke cloning operations and protocols. See Partition Backup and Restore.

>High Availability (HA) Finally, the Luna High Availability (HA) feature permits you to dedicate two or more application partitions (usually on separate hosts) to processing your applications' cryptographic calls by sharing the workload across HA group-member partitions whose content is synchronized by means of cloning operations. Concepts and instructions are here High-Availability Groups.

Considerations when Performing Cloning and Backup-Restore Operations, when SKS is Involved

If you invoked scalable key storage (SKS) for your applications to create and store large numbers of keys, then the partition is V1. If you perform cloning operations (including HA) or Backup and Restore, see Cloning or Backup / Restore with SKS.

Prerequisites

>Partition policy 0: Allow private key cloning must be set to 1 (ON) on both the source and target partitions.

>The target partition must be initialized with the same cloning domain as the source partition.

>You require the Crypto Officer credential for both the source and the target partition.

>Both partitions must be visible as slots in LunaCM.

>[Remote PED] This procedure is simpler when both partitions are activated (see Activation on Multifactor Quorum-Authenticated Partitions). If the partitions are not activated, you must connect the source partition to PEDserver before logging in, disconnect it, and then connect the target partition to PEDserver by specifying its slot.

lunacm:> ped connect [-ip <IP>] [-port <port>]

lunacm:> ped disconnect

lunacm:> ped connect -slot <target_slot> [-ip <IP>] [-port <port>]

NOTE   For older Luna versions, or situations where only cloning protocol version one (CPv1) is available, the library attempts to perform the individual actions of a cloning operation in sequence on the respective partitions, opening and closing a separate session for each object to be copied. If the policies and partition types on the source and target partitions are incompatible, the partition clone command (or an attempted HA synchronization) can fail with a message like CKR_DATA_LEN_RANGE while trying to clone. This can occur if a key object from the source partition is a different size than an equivalent object expected by the target.

UPDATE: Using Luna HSM Firmware 7.8.0 and newer, when a cloning negotiation agrees on the use of CPv4, a call to clone multiple keys/objects launches a single session for all the requested objects, rather than opening and closing individual sessions for each object. The above portion of this note about mismatched sizes remains valid.

NOTE   CPv1 UPDATE: In FW 3.0 for Luna Cloud HSM, CPv1 will be removed from FIPS firmware support as it is no longer compliant with 140-3. As this only affects FIPS mode, all affected users should use CPv4 or transition service to non-FIPS mode. If Luna Network HSM 7 users want to clone to Luna Cloud HSM they will have to use Luna HSM Firmware 7.8.0 or newer. See Universal Cloning for more information.

To clone partition objects to another application partition

This is the simplest case, where source and target are similarly configured. For more detailed procedures, when cipher-suite availability and partition authorization method might differ, and additional choices are needed, see below.

1.In LunaCM, set the active slot to the source partition and log in as Crypto Officer.

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name co

2.[Optional] View the partition objects and their object handles.

lunacm:> partition contents

3.Clone objects on the partition to the target partition by specifying the target slot. You can choose which objects to clone by specifying a comma-separated list of object handles, or specify all to clone all objects on the partition. Present the target partition's Crypto Officer credential when prompted.

lunacm:> partition clone -slot <slotnum> -objects <comma-separated_list/all>

The specified objects are cloned to the target partition. Any objects that already exist on the target are not cloned.

NOTE   When a password-authenticated HSM partition is acquiring a domain from a multifactor quorum-authenticated partition, the password-authenticated HSM must have a Luna PED locally connected to it to facilitate the operation.

A remote PED connection is not effective in this scenario, and any pedserver activity on the client should be halted for this cloning operation with pedserver -mode stop.

This is not necessary if you instead choose to add a text domain to your multifactor quorum-authenticated HSM partition (requires Luna HSM Firmware 7.8.0 or newer and Luna HSM Client 10.5.0 or newer) with partition domainadd. However, you might choose to import an authentication secret (PED key) to a password-authenticated partition if there is no room for another domain on your multifactor quorum-authenticated partition, and you have strong reason to preserve all domains already there.

Copying Keys and Objects with Universal Cloning

Luna HSM Firmware 7.8.0 and Luna HSM Client 10.5.0 introduce universal cloning, which rounds out the ability to clone objects between differing HSM partitions and also with Cloud crypto services (now running Luna Cloud HSM firmware 2.0 or newer). Universal cloning makes use of cloning protocol version 4 (CPv4) along with Extended Domain Management features that allow each HSM partition to have, and select among, up to three different cloning/security domains. That is, a single partition can contain, and perform crypto, with keys and objects that are protected under as many as three different domains, whether password-authenticated or multifactor quorum-authenticated.

If your on-premises HSMs are at an earlier firmware version, you can still use the older protocol versions among on-premises partitions, and cloud crypto services can still negotiate back to CPv3 or CPv1 with the inherent abilities and limitations of those earlier versions. See Cloning Protocols and Cipher Suite Selection for more details on the specifics of each generation of cloning protocol, including which ones were introduced with which HSM firmware versions.

NOTE   Partition policy 44: Allow Extended Domain Management must be set to 1 or ON, in order for your partition to have more than one cloning/security domain, and to allow either adding new domain strings (password-authenticated), or adding-by-importing existing multifactor quorum domains (PED keys).

NOTE   CPv1 UPDATE: In FW 3.0 for Luna Cloud HSM, CPv1 will be removed from FIPS firmware support as it is no longer compliant with 140-3. As this only affects FIPS mode, all affected users should use CPv4 or transition service to non-FIPS mode. If Luna Network HSM 7 users want to clone to Luna Cloud HSM they will have to use Luna HSM Firmware 7.8.0 or newer. See Universal Cloning for more information.

To clone partition objects from on-premises password-authenticated partition to on-premises multifactor quorum-authenticated partition using Luna HSM Firmware 7.8.0 or newer

Requires Luna HSM Client 10.5.0 or newer.

This procedure is for:

>an on-premises password-authenticated Luna Network HSM 7 partition as the source, which could be for:

a routine cloning between two HSM partitions that are at Luna HSM Firmware 7.8.0 or newer,

migration cloning of keys and objects from a legacy HSM partition (firmware 5.x, 6.x), or from firmware older than Luna HSM Firmware 7.8.0.

>an on-premises multifactor quorum-authenticated Luna Network HSM 7 partition as the target (at Luna HSM Firmware 7.8.0 or newer).

1.Ensure that the two partitions can both use a common cloning protocol.

a.for HSMs (both legacy and 7.x) before Luna HSM Firmware 7.7.0, only protocol CPv1 is available

b.for Luna HSM Firmware 7.7.1 and newer, if partition policy 42 - Enable CPv1 is ON, then that protocol is chosen and others are disabled

lunacm:> slot set -slot <slotnum>

lunacm:> partition showpolicies

c.if partition policy 42 - Enable CPv1 is OFF, then negotiation of common cipher suites is attempted between partitions; this is preferred when available.

d.if CPv1 has not been forced, and all cipher suites for CPv4 have been disabled on one of the participating partitions, then only CPv3 remains and a common CPv4 cipher suite cannot be negotiated.

2.Ensure that the source and target partitions have a cloning domain in common.

a.In LunaCM, set the active slot to the target multifactor quorum-authenticated partition and log in as Partition SO (po).

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name po

b.View the partition domains and note their labels.

lunacm:> partition domainlist

c.If the two partitions share a common domain, proceed to cloning.

d.If the two partitions do not share a common domain, then make room, if necessary, by deleting one domain you can do without on the target partition.

lunacm:> partition domaindelete

e.Add a domain that matches one from the source partition

lunacm:> partition domainadd -domain <text domain secret> -domainlabel <label of the text domain being duplicated>

3.In LunaCM, set the active slot to the source partition and log in as Crypto Officer.

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name co

4.[Optional] View the partition objects and their object handles.

lunacm:> partition contents

5.Clone objects on the current partition to the target partition by specifying the target slot. You can choose which objects to clone by specifying a comma-separated list of object handles, or specify all to clone all objects on the partition. Present the target partition's Crypto Officer credential when prompted.

lunacm:> partition clone -slot <slotnum> -objects <comma-separated_list/all>

The specified objects are cloned to the target partition. Any objects that already exist on the target are not cloned.

6.[OPTIONAL] You can retain an added domain on a partition as long as it remains useful

as long as the partition contains objects encrypted under that particular domain, or

while you think the current partition might clone (as source or as target) objects with a partition or service using that domain.

Or you can delete a domain using partition domaindelete if it is no longer needed.

To clone partition objects from on-premises multifactor quorum-authenticated partition to on-premises password-authenticated partition using Luna HSM Firmware 7.8.0 or newer

Requires Luna HSM Client 10.5.0 or newer.

This procedure is for :

>an on-premises multifactor quorum-authenticated Luna Network HSM 7 partition as the source, which could be for:

a routine cloning between two HSM partitions that are at Luna HSM Firmware 7.8.0 or newer,

migration cloning of keys and objects from a legacy HSM partition (firmware 5.x, 6.x), or from firmware older than Luna HSM Firmware 7.8.0.

>an on-premises password-authenticated Luna Network HSM 7 partition as the target (at Luna HSM Firmware 7.8.0 or newer).

1.Ensure that the two partitions can both use a common cloning protocol

a.if the source has partition policy 42 - Enable CPv1 on , then that protocol is chosen and others are disabled (or if the source has firmware earlier than Luna HSM Firmware 7.7.0, meaning that CPv1 is the only protocol); this imposes restrictions on operations, see Cloning Protocols and Cipher Suite Selection

lunacm:> slot set -slot <slotnum>

lunacm:> partition showpolicies

b.if partition policy 42 - Enable CPv1 is OFF, then negotiation of common cipher suites is attempted between partitions; this is preferred when available.

c.if CPv1 has not been forced, and all cipher suites for CPv4 have been disabled on one of the participating partitions, then only CPv3 remains and a common CPv4 cipher suite cannot be negotiated.

2.Ensure that the source and target partitions have a cloning domain in common.

a.If the source is a Luna HSM Firmware 7.8.0 or newer partition, then it can accept the target's domain string (password-authenticated) into the multifactor quorum-authenticated source partition, avoiding the need to connect a Luna PED to the target, in which case, skip to step d.; otherwise, go to step b.

b.If the source multifactor quorum-authenticated partition is at any firmware version older than Luna HSM Firmware 7.8.0, it cannot have more than one domain, so its PED key secret must be brought to the target; connect a Luna PED locally to the password-authenticated target.

c.In LunaCM, set the active slot to the target partition and log in as Partition SO.

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name po

d.View the partition domains and note their labels.

lunacm:> partition domainlist

e.If the two partitions share a common domain, proceed to cloning.

f.If the two partitions do not share a common domain, then make room, if necessary, by deleting one domain you can do without.

lunacm:>partition domaindelete

g.Add a domain that matches one from the other partition.

lunacm:> partition domainadd -domain <text domain secret> -domainlabel <label of the text domain being duplicated>

3.In LunaCM, set the active slot to the source partition and log in as Crypto Officer.

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name co

4.[Optional] View the partition objects and their object handles.

lunacm:> partition contents

5.Clone objects on the partition to the target partition by specifying the target slot. You can choose which objects to clone by specifying a comma-separated list of object handles, or specify all to clone all objects on the partition. Present the target partition's Crypto Officer credential when prompted.

lunacm:> partition clone -slot <slotnum> -objects <comma-separated_list/all>

The specified objects are cloned to the target partition. Any objects that already exist on the target are not cloned.

6.[OPTIONAL] You can retain an added domain on a partition as long as it remains useful

as long as the partition contains objects encrypted under that particular domain, or

while you think the current partition might clone (as source or as target) objects with a partition or service using that domain.

Or you can delete a domain using partition domaindelete if it is no longer needed.

To clone keys and objects from a Luna Cloud HSM Service slot to an on-premises multifactor quorum-authenticated partition

1.Ensure that the two partitions can both use a common cloning protocol

a.the source, as an Luna Cloud HSM service, is already at firmware 2.0 or a later level that supports CPv4

b.if partition policy 42 - Allow CPv1 is ON, for the target partition, then that protocol is chosen and others are disabled

lunacm:> slot set -slot <slotnum>

lunacm:> partition showpolicies

c.if partition policy 42 - Allow CPv1 is OFF, then the cloning protocols available will sort themselves and negotiate common cipher-suites between source and target; this is preferred.

d.if all cipher suites for CPv4 have been disabled on the on-premises HSM partition, then only CPv3 remains and a common CPv4 cipher suite cannot be negotiated; this imposes restrictions on operation see Cloning Protocols and Cipher Suite Selection for more detail.

2.Ensure that the source and target partitions have a cloning domain in common.

Just as you must know the password (text string) for a Luna Cloud HSM service, you must also know the domain secret (text string) to proceed with this cloning operation.

NOTE   Partition policy 44: Allow Extended Domain Management must be set to 1 or ON, in order for your partition to have more than one cloning/security domain, and to allow either adding new domain strings (password-authenticated), or adding-by-importing existing multifactor quorum domains (PED keys).

a.In LunaCM, set the active slot to the on-premises target partition and log in as Partition SO.

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name po

b.View the partition domains and note their labels.

lunacm:> partition domainlist

c.If the Luna Cloud service and the target partition share a common domain, proceed to cloning.

d.If the two do not share a common domain, then make room on the on-premises target, if necessary, by deleting one domain you can do without.

lunacm:>partition domaindelete

e.Add a domain that matches one from the source Luna Cloud HSM service

lunacm:> partition domainadd -domain <text domain secret> -domainlabel <label of the text domain being duplicated>

3.In LunaCM, set the active slot to the source partition and log in as Crypto Officer.

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name co

4.[Optional] View the partition objects and their object handles.

lunacm:> partition contents

5.Clone objects on the cloud service to the target partition by specifying the target slot. You can choose which objects to clone by specifying a comma-separated list of object handles, or specify all to clone all objects on the partition. Present the target partition's Crypto Officer credential when prompted (in this case, the appropriate black PED key).

lunacm:> partition clone -slot <slotnum> -objects <comma-separated_list/all>

The specified objects are cloned to the target partition. Any objects that already exist on the target are not cloned.

6.[OPTIONAL] You can retain an added domain on a partition as long as it remains useful

as long as the partition contains objects encrypted under that particular domain, or

while you think the current partition might clone (as source or as target) objects with a partition or service using that domain.

Or you can delete a domain using partition domaindelete if it is no longer needed.

To clone keys and objects from an on-premises multifactor quorum or password-authenticated partition to a Luna Cloud HSM service

This includes

>an on-premises Luna Network HSM 7 multifactor quorum-authenticated or password-authenticated partition as the source, and

>a Luna Cloud HSM service (password-auth) as the target.

1.Ensure that the two partitions can both use a common cloning protocol

a.if the target partition is a Luna Cloud HSM service, then it is at a firmware level that supports CPv4

b.if the source has partition policy 42 - Enable CPv1 on, then that protocol is chosen and others are disabled

lunacm:> slot set -slot <slotnum>

lunacm:> partition showpolicies

c.if partition policy 42 - Enable CPv1 is off for the on-premises HSM partition, then the cloning protocols available will sort themselves and negotiate common cipher-suites between source and target; this is preferred.

d.if all cipher suites for CPv4 have been disabled on the on-premises HSM partition, then only CPv3 remains and a common CPv4 cipher suite cannot be negotiated; this imposes restrictions on operation see Cloning Protocols and Cipher Suite Selection for more detail.

2.Ensure that the source and target partitions have a cloning domain in common.

NOTE   Partition policy 44: Allow Extended Domain Management must be set to 1 or ON, in order for your partition to have more than one cloning/security domain, and to allow either adding new domain strings (password-authenticated), or adding-by-importing existing multifactor quorum domains (PED keys).

a.In LunaCM, set the active slot to the source partition and log in as Partition SO (po).

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name po

b.View the partition domains and note their labels.

lunacm:> partition domainlist

c.If the source partition and the target cloud service share a common domain, proceed to cloning.

d.If the source partition and the target cloud service do not share a common domain, then make room, if necessary, by deleting from the source partition one domain you can do without.

lunacm:>partition domaindelete

e.Add a domain to the source partition that matches the domain from the Luna Cloud HSM Service target.

lunacm:> partition domainadd -domain <text domain secret> -domainlabel <label of the text domain being duplicated>

3.In LunaCM, set the active slot to the source partition and log in as Crypto Officer.

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name co

4.[Optional] View the partition objects and their object handles.

lunacm:> partition contents

5.Clone objects on the partition to the target Luna Cloud HSM Service by specifying the target slot. You can choose which objects to clone by specifying a comma-separated list of object handles, or specify all to clone all objects on the partition. Present the target partition's Crypto Officer credential when prompted.

lunacm:> partition clone -slot <slotnum> -objects <comma-separated_list/all>

The specified objects are cloned to the target Luna Cloud HSM Service. Any objects that already exist on the target are not cloned.

6.[OPTIONAL] You can retain an added domain on a partition as long as it remains useful

as long as the partition contains objects encrypted under that particular domain, or

while you think the current partition might clone (as source or as target) objects with a partition or service using that domain.

Or you can delete a domain using partition domaindelete if it is no longer needed.

NOTE   CPv1 UPDATE: In FW 3.0 for Luna Cloud HSM, CPv1 will be removed from FIPS firmware support as it is no longer compliant with 140-3. As this only affects FIPS mode, all affected users should use CPv4 or transition service to non-FIPS mode. If Luna Network HSM 7 users want to clone to Luna Cloud HSM they will have to use Luna HSM Firmware 7.8.0 or newer. See Universal Cloning for more information.