partition archive restore

Restore partition objects from a backup. Use this command to restore objects from the specified backup partition, in a backup HSM, in a specified slot, to the current user partition.

Cloning is a repeating atomic action

When you call for a cloning operation (such as backup or restore), the source HSM transfers each object one at a time, encrypted with the source domain. If the source is a V0 or pre-7.7.0 partition, the target HSM then decrypts and verifies each received blob. If the source is a V1 partition, the blob remains encrypted on the Backup HSM. See Compare Behavior of Pre-Firmware 7.7, and V0, and V1 Partitions for more information.

If the verification is successful, the object is stored at its destination – the domains are a match. If the verification fails, then the blob is discarded and the target HSM reports the failure. If the domain string or the domain PED key used to create the target partition did not match the domain of the source HSM partition, the operation fails with the error CKR_CERTIFICATE_INVALID. If the source is a partition using firmware older than Luna HSM Firmware 7.7.0, the source HSM moves to the next item in the object list and attempts to clone again, until the end of the list is reached. If the source is a V0 or V1 partition, the restore operation ends when the first object fails.

NOTE To perform backup operations on Luna HSM Firmware 7.7.0 or newer (V0 or V1 partitions) you require at minimum:

>Luna Backup HSM 7 Firmware 7.7.1

>Luna Backup HSM G5 Firmware 6.28.0

You can use a Luna Backup HSM with older firmware to restore objects to a V0 or V1 partition, but this is supported for purposes of getting your objects from the older partitions onto the newer V0 or V1 partitions only. V0 and V1 partitions are considered more secure than partitions at earlier firmware versions - any attempt to restore from a higher-security status to lower-security status fails gracefully.

When the Luna Backup HSM is connected directly to the Luna Network HSM 7 appliance, only the SMK can be backed up from or restored to a V1 partition.

Syntax

partition archive restore -slot <backup_slot> -partition <backup_partition> -password <password> [-replace] [-smkonly] [-objects] [-debug] [-force]

Argument(s)	Shortcut	Description
-debug	-deb	Turn on additional error information (optional).
-force	-f	Force action with no prompting.
-objects <object_handles>	-o	Select specific individual objects to restore by specifying their object handles using any of the following methods: >a single object handle >0 or all, to indicate that all objects are to be extracted >a list of handles, separated by commas. For example: -objects 3,4,6 This option requires Luna HSM Client 10.3.0 or newer, and gives the capability to restore selected objects from a backup HSM.
-partition <backup_partition>	-par	Partition on the backup device. (maximum length of 64 characters) .
-password <password>	-pas	User password for the specified partition.
-replace	-r	Allow objects in the target user partition with the same OUID as the backup objects to be deleted and replaced. Objects with the same OUID are replaced only if they differ from the backup objects in some way. For example, if the object attributes have changed since the last backup, the object is replaced. CAUTION! The -replace option is deprecated and has been removed in Luna HSM Client 10.7.0 and newer. If you wish to restore an earlier version of an object, Thales recommends deleting the object(s) manually before restoring the partition from backup. Ensure that the target partition can receive objects from the backup HSM before deleting objects or using partition archive restore with the -replace option; the cloning protocol may prevent objects from being restored, even if LunaCM states that `X objects will be restored`. This may occur if HSM policy 55: Enable Restricted Restore was enabled on the Luna Backup HSM 7 since the original backup was taken. If your partition is on an HSM with firmware older than Luna HSM Firmware 7.7.0, you must update to 7.7.0 or newer to restore objects from this backup.
-slot <see description>	-s	Target slot containing the backup device. It can be specified by any of the following: > <slot number>, if the backup slot is in the current system. >direct to specify a USB-attached backup device. If you know the slot number that contains the USB-attached HSM, you can specify that slot number explicitly (for example, -s 5)
-smkonly	-smk	Restore the SKS Master Key (SMK) without objects. This option applies to Luna HSM Firmware 7.7.0 and newer.

Example

lunacm:> partition archive restore -slot 6 -password Pa$$w0rd -partition mybackupPar

        Logging in to partition mybackupPar on slot 6 as the user.

        Verifying that all objects can be restored...

        1 object will be restored.

        Restoring objects...
        Cloned object 50 from partition mybackupPar (new handle 39).

        Restore Complete.

        1 objects have been restored from partition mybackupPar on slot 6. 

Command Result : No Error



	SUPPORT	LEGAL
Luna Network HSM 7 Documentation © Copyright 2001-2024, Thales Group Last Updated: 2024-05-03 15:32:49 GMT-04:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information