partition archive backup
Backup partition objects. Use this command to backup objects from the current user partition to a partition on a backup device. You must be logged in as the Crypto Officer to backup the partition.
NOTE If the domains of your source and target HSMs do not match or the policy settings do not permit backup, the partition archive backup command fails. No objects are cloned to the target HSM but the command creates an empty backup partition. In this circumstance, you must manually delete the empty backup partition.
When you call for a cloning operation (such as backup or restore), the source HSM transfers each object one at a time, encrypted with the source domain. If the source is a V0 or pre-7.7.0 partition, the target HSM then decrypts and verifies each received blob. If the source is a V1 partition, the blob remains encrypted on the Backup HSM. See Compare Behavior of Pre-Firmware 7.7, and V0, and V1 Partitions for more information.
If the verification is successful, the object is stored at its destination – the domains are a match. If the verification fails, then the blob is discarded and the target HSM reports the failure. If the domain string or the domain PED key used to create the target partition did not match the domain of the source HSM partition, the operation fails with the error CKR_CERTIFICATE_INVALID. If the source is a partition using firmware older than Luna HSM Firmware 7.7.0, the source HSM moves to the next item in the object list and attempts to clone again, until the end of the list is reached. If the source is a V0 or V1 partition, the backup operation ends when the first object fails.
NOTE To perform backup operations on Luna HSM Firmware 7.7.0 or newer (V0 or V1 partitions) you require at minimum:
>Luna Backup HSM 7 Firmware 7.7.1
>Luna Backup HSM G5 Firmware 6.28.0
You can use a Luna Backup HSM with older firmware to restore objects to a V0 or V1 partition, but this is supported for purposes of getting your objects from the older partitions onto the newer V0 or V1 partitions only. V0 and V1 partitions are considered more secure than partitions at earlier firmware versions - any attempt to restore from a higher-security status to lower-security status fails gracefully.
When the Luna Backup HSM is connected directly to the Luna Network HSM 7 appliance, only the SMK can be backed up from or restored to a V1 partition.
Backup partition sizing
When you run the partition archive backup command, it compares the size of the source partition with the remaining free space on the backup HSM to ensure that there is enough space on the backup HSM to accommodate the backup. If there is not enough space, the backup operation is canceled, and an appropriate error message is displayed.
Luna Backup HSM 7 partition re-sizing
On Luna Backup HSM 7s, when you create a new backup, all of the available free space on the backup HSM is assigned to the new backup partition. Once all of the objects have been successfully cloned to the new backup partition, the new backup partition is automatically re-sized to the minimum size required to accommodate the backup objects, and any free space is reallocated.
NOTE If this re-sizing operation should fail, all the free space on the Backup HSM will be occupied and no new backups can be made. In this unlikely event, you must delete the backup using lunacm:> partition archive delete and re-attempt the backup operation.
If the backup partition becomes full before all of the objects have been successfully cloned, the backup is canceled and an error message is displayed. The new backup partition and all of the objects cloned to that point are deleted from the backup HSM and it reverts to the state it was in prior to the backup operation. In this case you will need to free up some space on the backup HSM or use another backup HSM with more available free space.
Syntax
partition archive backup -slot <backup_slot> [-partition <backup_partition>] -password <password> [-sopassword <sopassword>] [-domain <domain> | -defaultdomain] [-append] [-replace] [-objects <object_handles>] [-smkonly] [-debug] [-force]
| Argument(s) | Shortcut | Description |
|---|---|---|
| -append | -a |
Append new objects to the existing partition. Do not overwrite existing objects that have the same OUID, even if their attributes differ (see -replace). NOTE When backing up objects from an HSM with firmware older than 7.7.0 to a Luna Backup HSM 7 with firmware 7.7.1 or newer, objects with the same OUID as those already stored on the backup may be identified as having a different fingerprint:
Use both -append and -replace to overwrite these backup objects with the versions on the source partition. |
| -debug | -deb | Turn on additional error information (optional). |
| -defaultdomain | -def | Default domain for the specified partition. |
| -domain <domain> | -do | Domain for the specified partition. |
| -force | -f | Force action with no prompting. |
| -objects <object_handles> | -o |
Select specific individual objects to back up by specifying their object handles using any of the following methods: >a single object handle >0 or all, to indicate that all objects are to be extracted >a list of handles, separated by commas. For example: -objects 3,4,6 This option requires Luna HSM Client 10.3.0 or newer, and gives the capability to backup selected objects to a backup HSM. |
| -partition <backup_partition> | -par |
Backup partition name (maximum length of 32 characters). NOTE Optional on the Luna Backup HSM 7. If you omit this option, the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>). |
| -password <password> | -pas | Password for the specified partition. |
| -replace | -rep | Replace the entire backup with a new one. Since a new backup partition is created, you must present a new PO credential for the backup. |
| -slot <see description> | -s |
Target slot containing the backup device. It can be specified by any of the following: > <slot number>, if the backup slot is in the current system. >direct to specify a USB-attached backup device. If you know the slot number that contains the USB-attached HSM, you can specify that slot number explicitly (for example, -s 5). |
| -smkonly | -smk |
Back up the SKS Master Key (SMK) without objects. This option applies to Luna HSM Firmware 7.7.0 and newer. |
| -sopassword <sopassword> | -sop | SO password for the backup device. |
Example
lunacm:> partition archive backup -slot 2 -partition sa78backup -domain clientdomain -password newPa$$w0rd -sopassword backupSOpwd
Logging in as the SO on slot 2.
Creating partition sa78backup on slot 2.
Logging into the container sa78backup on slot 2 as the user.
Creating Domain for the partition sa78backup on slot 2.
Verifying that all objects can be backed up...
6 objects will be backed up.
Backing up objects...
Cloned object 70 to partition sa78backup (new handle 14).
Cloned object 69 to partition sa78backup (new handle 18).
Cloned object 53 to partition sa78backup (new handle 19).
Cloned object 54 to partition sa78backup (new handle 23).
Cloned object 52 to partition sa78backup (new handle 24).
Cloned object 47 to partition sa78backup (new handle 28).
Backup Complete.
6 objects have been backed up to partition sa78backup
on slot 2.
Command Result : No Error
Example - SKS Backup
Backup the SMK from the current slot to the indicated SKS Backup HSM. This does not backup crypto objects. The target must be an SKS Backup HSM.
NOTE Do not name the target partition to be created on the Backup HSM, because SKS backup creates the name from the label of the source partition, combined with a timestamp.
CAUTION! Always be careful when restoring a backed-up SMK, because that operation overwrites the SMK on the target partition. If you do not have a backup of that overwritten SMK, any objects encrypted by that SMK can never be decrypted.
lunacm:>partition archive backup -slot 5 -smkonly You are backing up a SKS partition. Only the SKS master key (SMK) will be backed up. No other objects will be cloned. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now ->proceed Logging in as the SO on slot 5. Please attend to the PED. Creating partition 358628973182_2019:03:09-16:52:47 on slot 5. Please attend to the PED. Logging into the container 358628973182_2017:03:09-16:52:47 on slot 5 as the user. Please attend to the PED. Creating Domain for the partition 358628973182_2019:03:09-16:52:47 on slot 5. Please attend to the PED. The SMK was cloned successfully. Command Result : No Error
