Key Cloning

You can clone key material between partitions to back up the keys, or to migrate the keys from one HSM to another. The rules, prerequisites, and procedures for migrating your key material are described in the following topics:

>Domain Planning

>Cloning Objects to Another Application Partition

>Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM, Password or Multifactor Quorum

>Cloning Protocols and Cipher Suite Selection

>Where is copying, sharing, migration of keys possible - from what source to what destination?

>Enabling and Disabling CPv4 Cipher Suites

>Considerations when Performing Cloning and Backup-Restore Operations, when SKS is Involved

Overview and Key Concepts

A Crypto Officer can clone the cryptographic objects (keys) from one user partition to another user partition provided that:

>The user partitions share the same cloning/security domain. See Domain Planning. For firmware newer than 7.8.0 and client newer than Luna HSM Client 10.5.0 see Where is copying, sharing, migration of keys possible - from what source to what destination? and Universal Cloning.

>The user partitions use the same authentication method (muiltifactor or password).

>The CO has the required credentials on both user partitions.

>The capabilities and policies set on the source and target HSM and user partitions allow cloning. See HSM Capabilities and Policies and Partition Capabilities and Policies.

Enhanced utility with Universal Cloning

Using Luna HSM Firmware 7.8.0 or newer, you can engage Extended Domain Management and Cloning Protocol Version 4 (CPv4) as described at Universal Cloning to improve the versatility of key cloning.

Changes introduced with Luna HSM Firmware 7.7.0 and newer

You can update Luna HSM Client software, Luna Network HSM 7 appliance software, and Luna HSM firmware at different times, according to your needs.

When the HSM is updated to Luna HSM Firmware 7.7.0 or newer, some changes take place in the partitions and their contents, such that updated Client software is needed to make full use of the updated partitions and their contents. See V0 and V1 Partitions for more detail on behaviors and constraints of the partition types.

>In HA groups, update the secondary members first, and then the primary member last.

>Older clients will continue to work with V0 partition for Luna Network HSM 7.

>For Luna PCIe HSM 7, must use Luna HSM Client 10.3.0 or newer

>Need newer client for V1 partitions when you want to use SKS or PKA.

>Client software must be Luna HSM Client 10.3.0 or newer to work with V1 partitions to support SKS and/or PKA, and HA. See V0 and V1 Partitions for more detail.

NOTE   For older Luna versions, or situations where only cloning protocol version one (CPv1) is available, the library attempts to perform the individual actions of a cloning operation in sequence on the respective partitions, opening and closing a separate session for each object to be copied. If the policies and partition types on the source and target partitions are incompatible, the partition clone command (or an attempted HA synchronization) can fail with a message like CKR_DATA_LEN_RANGE while trying to clone. This can occur if a key object from the source partition is a different size than an equivalent object expected by the target.

UPDATE: Using Luna HSM Firmware 7.8.0 and newer, when a cloning negotiation agrees on the use of CPv4, a call to clone multiple keys/objects launches a single session for all the requested objects, rather than opening and closing individual sessions for each object. The above portion of this note about mismatched sizes remains valid.

Further information

For an overview of cloning protocols from earlier versions to current, their respective capabilities and applicability, see Cloning Protocols and Cipher Suite Selection.

Considerations when Performing Cloning and Backup-Restore Operations, when SKS is Involved

If you invoked scalable key storage (SKS) for your applications to create and store large numbers of keys, then the partition is V1. If you perform cloning operations (including HA) or Backup and Restore, see Cloning or Backup / Restore with SKS.