Luna PCIe HSM 5.x/6.x or Luna USB HSM 6.x to Luna PCIe HSM 7

This chapter describes how to migrate your key material from release 5.x or 6.x of the Luna PCIe HSM 7 or Luna USB HSM partition to the Luna PCIe HSM 7 partition. You can migrate your key material using one of the following three methods:

>Backup and Restore

>Cloning

>Cloning Using an HA Group

TIP   When cloning objects:

by direct clone command, or

by backup/restore, or

by synchronization in an HA group)

...between 5.x or 6.x HSMs and 7.x HSMs, the common domain between the HSMs must be the designated primary domain on any HSM that is at firmware version 7.8.0 or newer.

This is because the cloning protocol on HSMs prior to firmware 7.8.0 is unaware of the ability to have multiple domains and therefore the older HSM can interact with only the primary domain on the firmware 7.8.0+ HSM. So, if the domain of the old HSM exists on the firmware 7.8.0-and-newer HSM, set that domain to be Primary before cloning.

Backup and Restore

Cryptographic key material can be backed up and then restored to a Luna PCIe HSM 7 partition using a Luna Backup HSM.

The new configuration's operating system must be compatible with both the new 7.x and the old 5.x/6.x hardware. Consult the 5.x/6.x CRN for a list of compatible operating systems.

To backup and restore cryptographic keys from one HSM to another, the HSMs must share the same cloning domain. For password-authenticated HSMs, this domain should have been specified when the partition was initialized. For multifactor quorum-authenticated HSMs, the red key determines the cloning domain. You will need the same red key that was imprinted during 5.x/6.x partition creation to initialize the 7.x partition (see Initializing an Application Partition).

NOTE   This process both became easier, and increased in scope, with Universal Cloning, part of which allows a partition with Luna HSM Firmware 7.8.0 (or newer), accessed by a client version Luna HSM Client 10.5.0 (or newer) to hold up to three cloning domains, which can be

>a text string domain secret for password-authenticated partitions or Luna Cloud HSM services,

>a red PED key domain secret for multifactor quorum-authenticated HSM partitions,

>any combination of the two.

The 7.x client software should be installed, and the connection to both the source and destination partitions verified, before attempting this procedure (see Luna HSM Client Software Installation for details). The source and destination partitions must both be assigned to the client machine issuing the cloning commands. Use slot list to ensure both partitions are visible to the client.

Preconditions

The following instructions assume that:

>the 10.x client software has been installed

>an uninitialized partition has been created on the 7.x HSM

>the source and destination partitions are both registered with the client (visible)

>the source partition's security policy allows cloning of private and secret keys

In the following example:

>Slot 0: the source 5.x/6.x partition

>Slot 1: the destination 7.x partition

>Slot 2: the Backup HSM partition

NOTE   Partition login name requirements have changed with the hardware versions. With release 7.x , you can log in using the abbreviated po (Partition Security Officer) or co (Crypto Officer).

To migrate cryptographic keys from a 5.x/6.x partition to a 7.x partition using a Backup HSM

Follow these steps to back up all cryptographic material on a 5.x/6.x partition to a Backup HSM, and restore to a new 7.x partition.

1.Run LunaCM, set the current slot to the 7.x partition, and initialize the partition and the Partition SO role.

slot set -slot 0

partition init -label <7.x_partition_label>

a.If you are backing up a multifactor quorum-authenticated 5.x/6.x partition, use the 5.x/6.x partition's red key when prompted.

b.If you are backing up a password-authenticated 5.x/6.x partition, enter the same cloning domain when prompted.

2.Log in as the po (Partition Security Officer) and initialize the co (Crypto Officer) role.

role login -name po

role init -name co

If you are backing up a multifactor quorum-authenticated 5.x/6.x partition, you can create an optional challenge secret for the Crypto Officer.

role createchallenge -name co -challengeSecret <password>

3.Connect your backup HSM and make sure it is visible to the client, along with the 5.x/6.x and 7.x HSMs.

4.Set the current slot to the source 5.x/6.x slot.

slot list

slot set -slot 0

5.Log in as the Crypto Officer.

NOTE   Be mindful of whether you’re working with pre-PPSO or PPSO firmware and use the partition login or role login commands as specified below. Also, with PPSO firmware 6.22.0 and up, be careful with user names, i.e., type Crypto Officer in full (is case sensitive) and not co.

a.If you are cloning a release 5.x or 6.x pre-PPSO partition (up to and including Firmware 6.21.2), use:

partition login

b.If you are cloning a release 6.x PPSO partition (Firmware 6.22.0 and up) , use:

role login -name Crypto Officer

6.Optional: To verify the objects in the 5.x/6.x partition to be cloned, issue the “partition contents” command.

partition contents

7.Back up the 5.x/6.x partition contents to the Backup HSM.

partition archive backup -slot 2 -partition <backup_label>

a.If you are backing up a multifactor quorum-authenticated 5.x/6.x partition, use the 5.x/6.x partition's red key when prompted.

b.If you are backing up a password-authenticated 5.x/6.x partition, enter the same cloning domain when prompted.

Optionally, verify that all objects were backed up successfully on the Backup HSM by checking the partition contents.

8.Set the current slot to the 7.x partition, log in as the Crypto Officer, and restore from backup.

slot set -slot 1

role login -name co

partition archive restore -slot 2 -partition <backup_label>

Afterwards, you can verify the partition contents on the 7.x partition:

partition contents

Cloning

The simplest method of migrating key material to a new 7.x partition is slot-to-slot cloning. This procedure copies all permitted cryptographic material from a 5.x/6.x Luna PCIe HSM 7 or USB HSM partition to a Luna PCIe HSM 7 partition.

NOTE   The Luna cloning protocol has been updated several times since the previous generation of Luna HSMs, for standards compliance and added security. If you are planning to migrate your key material from a Luna 5/6 in FIPS mode to a Luna 7 HSM in FIPS mode, you must use an intermediate firmware version before updating to Luna HSM Firmware 7.7.1 or newer. Thales recommends migrating to Luna Network HSM 7 7 with one of the following FIPS-validated firmware versions:

>Luna HSM Firmware 7.3.3

>Luna HSM Firmware 7.0.3

After the migration process is complete, you can update the Luna Network HSM 7 to Luna HSM Firmware 7.7.1 or newer (see Updating the Luna PCIe HSM 7 Firmware).

The new configuration's operating system must be compatible with both the new 7.x and the old 5.x/6.x hardware. Consult the 5.x/6.x CRN for a list of compatible operating systems.

To clone cryptographic keys from one HSM to another, the HSMs must share the same cloning domain. For password-authenticated HSMs, this domain should have been specified when the partition was initialized . For multifactor quorum-authenticated HSMs, the red key determines the cloning domain. You will need the same red key that was imprinted during 5.x/6.x partition creation to initialize the 7.x partition (see Initializing an Application Partition).

The Luna HSM Client 7/10 software should be installed, and the connection to both the source and destination partitions verified, before attempting this procedure (see Luna HSM Client Software Installation for details). The source and destination partitions must both be assigned to the client machine issuing the cloning commands. Use slot list to ensure both partitions are visible to the client.

If the source partition contains asymmetric keys, its security policy must allow cloning of private and secret keys. Use lunacm:> partition showpolicies to ensure that your source partition's security template allows this. If the 5.x/6.x HSM's security template does not allow cloning of private/secret keys, the HSM Admin may be able to turn this feature on using lunacm:> partition changepolicy.

CAUTION!   Check your source partition policies and adjust them to be sure you can clone private and symmetric keys. Depending on the configuration of your partition and HSM, these policies may be destructive.

Preconditions

The following instructions assume that:

>the 7.x client software has been installed

>an uninitialized partition has been created on the 7.x Luna Network HSM 7

>the destination 7.x partition must be registered with the client (visible)

>the source 5.x/6.x partition's security policy allows cloning of private and secret keys

In the following examples:

>Slot 0: the source 5.x/6.x partition

>Slot 1: the destination 7.x partition

NOTE   Partition login name requirements have changed with the hardware versions. With release 7.x, you can log in using the abbreviated PO (Partition Security Officer) or CO (Crypto Officer).

To clone cryptographic keys from a 5.x/6.x partition to a 7.x partition (pre-firmware 7.8.0)

Follow these steps to clone all cryptographic material on a 5.x/6.x partition to a 7.x partition.

1.Run LunaCM, set the current slot to the 7.x partition, and initialize the Partition SO role.

slot list

slot set -slot 1

partition init -label <7.x_partition_label>

a.If you are cloning a multifactor quorum-authenticated 5.x/6.x partition, use the 5.x/6.x partition's red key when prompted.

b.If you are cloning a password-authenticated 5.x/6.x partition, enter the same cloning domain when prompted.

2.Log in as the po (Partition Security Officer) and initialize the co (Crypto Officer) role.

role login -name po

role init -name co

If you are cloning a multifactor quorum-authenticated 5.x/6.x partition, you can create an optional challenge secret for the Crypto Officer.

role createchallenge -name co -challengesecret <password>

3.Set the current slot to the source 5.x/6.x slot, log in as the Crypto Officer.

slot set -slot 0

NOTE   Be mindful of whether you’re working with pre-PPSO or PPSO firmware and use the “partition login” or “role login” commands as specified below. Also, with PPSO firmware 6.22.0 and up, be careful with user names, i.e., type “Crypto Officer” in full (is case sensitive) and not "co".

a.If you are cloning a release 5.x or 6.x pre-PPSO partition (up to and including Firmware 6.21.2), use:

partition login

b.If you are cloning a release 6.x PPSO partition (Firmware 6.22.0 and up) , use:

role login -name Crypto Officer

4.Optional: To verify the objects in the 5.x/6.x partition to be cloned, issue the “partition contents” command.

partition contents

5.Clone the objects to the 7.x partition slot (see partition clone for correct syntax).

partition clone -objects 0 -slot 1

Afterward, you can set the current slot to the 7.x partition and verify that all objects have cloned successfully.

slot set -slot 1

role login -name co -password <password>

partition contents

You should see the same number of objects that existed on the 5.x/6.x HSM. You can now decommission the old 5.x/6.x HSM.

To clone partition objects from on-premises multifactor quorum-authenticated partition to on-premises password-authenticated partition using Luna HSM Firmware 7.8.0 or newer

Requires Luna HSM Client 10.5.0 or newer.

This procedure is for :

>an on-premises multifactor quorum-authenticated Luna Network HSM 7 partition as the source, which could be for:

a routine cloning between two HSM partitions that are at Luna HSM Firmware 7.8.0 or newer,

migration cloning of keys and objects from a legacy HSM partition (firmware 5.x, 6.x), or from firmware older than Luna HSM Firmware 7.8.0.

>an on-premises password-authenticated Luna Network HSM 7 partition as the target (at Luna HSM Firmware 7.8.0 or newer).

1.Ensure that the two partitions can both use a common cloning protocol

a.if the source has partition policy 42 - Enable CPv1 on , then that protocol is chosen and others are disabled (or if the source has firmware earlier than Luna HSM Firmware 7.7.0, meaning that CPv1 is the only protocol); this imposes restrictions on operations

lunacm:> slot set -slot <slotnum>

lunacm:> partition showpolicies

b.if partition policy 42 - Enable CPv1 is OFF, then negotiation of common cipher suites is attempted between partitions; this is preferred when available.

c.if CPv1 has not been forced, and all cipher suites for CPv4 have been disabled on one of the participating partitions, then only CPv3 remains and a common CPv4 cipher suite cannot be negotiated.

2.Ensure that the source and target partitions have a cloning domain in common.

a.If the source is a Luna HSM Firmware 7.8.0 or newer partition, then it can accept the target's domain string (password-authenticated) into the multifactor quorum-authenticated source partition, avoiding the need to connect a Luna PED to the target, in which case, skip to step d.; otherwise, go to step b.

b.If the source multifactor quorum-authenticated partition is at any firmware version older than Luna HSM Firmware 7.8.0, it cannot have more than one domain, so its PED key secret must be brought to the target; connect a Luna PED locally to the password-authenticated target.

c.In LunaCM, set the active slot to the target partition and log in as Partition SO.

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name po

d.View the partition domains and note their labels.

lunacm:> partition domainlist

e.If the two partitions share a common domain, proceed to cloning.

f.If the two partitions do not share a common domain, then make room, if necessary, by deleting one domain you can do without.

lunacm:>partition domaindelete

g.Add a domain that matches one from the other partition.

lunacm:> partition domainadd -domain <text domain secret> -domainlabel <label of the text domain being duplicated>

3.In LunaCM, set the active slot to the source partition and log in as Crypto Officer.

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name co

4.[Optional] View the partition objects and their object handles.

lunacm:> partition contents

5.Clone objects on the partition to the target partition by specifying the target slot. You can choose which objects to clone by specifying a comma-separated list of object handles, or specify all to clone all objects on the partition. Present the target partition's Crypto Officer credential when prompted.

lunacm:> partition clone -slot <slotnum> -objects <comma-separated_list/all>

The specified objects are cloned to the target partition. Any objects that already exist on the target are not cloned.

6.[OPTIONAL] You can retain an added domain on a partition as long as it remains useful

as long as the partition contains objects encrypted under that particular domain, or

while you think the current partition might clone (as source or as target) objects with a partition or service using that domain.

Or you can delete a domain using partition domaindelete if it is no longer needed.

To clone partition objects from on-premises password-authenticated partition to on-premises multifactor quorum-authenticated partition using Luna HSM Firmware 7.8.0 or newer

Requires Luna HSM Client 10.5.0 or newer.

This procedure is for:

>an on-premises password-authenticated Luna Network HSM 7 partition as the source, which could be for:

a routine cloning between two HSM partitions that are at Luna HSM Firmware 7.8.0 or newer,

migration cloning of keys and objects from a legacy HSM partition (firmware 5.x, 6.x), or from firmware older than Luna HSM Firmware 7.8.0.

>an on-premises multifactor quorum-authenticated Luna Network HSM 7 partition as the target (at Luna HSM Firmware 7.8.0 or newer).

1.Ensure that the two partitions can both use a common cloning protocol.

a.for HSMs (both legacy and 7.x) before Luna HSM Firmware 7.7.0, only protocol CPv1 is available

b.for Luna HSM Firmware 7.7.1 and newer, if partition policy 42 - Enable CPv1 is ON, then that protocol is chosen and others are disabled

lunacm:> slot set -slot <slotnum>

lunacm:> partition showpolicies

c.if partition policy 42 - Enable CPv1 is OFF, then negotiation of common cipher suites is attempted between partitions; this is preferred when available.

d.if CPv1 has not been forced, and all cipher suites for CPv4 have been disabled on one of the participating partitions, then only CPv3 remains and a common CPv4 cipher suite cannot be negotiated.

2.Ensure that the source and target partitions have a cloning domain in common.

a.In LunaCM, set the active slot to the target multifactor quorum-authenticated partition and log in as Partition SO (po).

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name po

b.View the partition domains and note their labels.

lunacm:> partition domainlist

c.If the two partitions share a common domain, proceed to cloning.

d.If the two partitions do not share a common domain, then make room, if necessary, by deleting one domain you can do without on the target partition.

lunacm:> partition domaindelete

e.Add a domain that matches one from the source partition

lunacm:> partition domainadd -domain <text domain secret> -domainlabel <label of the text domain being duplicated>

3.In LunaCM, set the active slot to the source partition and log in as Crypto Officer.

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name co

4.[Optional] View the partition objects and their object handles.

lunacm:> partition contents

5.Clone objects on the current partition to the target partition by specifying the target slot. You can choose which objects to clone by specifying a comma-separated list of object handles, or specify all to clone all objects on the partition. Present the target partition's Crypto Officer credential when prompted.

lunacm:> partition clone -slot <slotnum> -objects <comma-separated_list/all>

The specified objects are cloned to the target partition. Any objects that already exist on the target are not cloned.

6.[OPTIONAL] You can retain an added domain on a partition as long as it remains useful

as long as the partition contains objects encrypted under that particular domain, or

while you think the current partition might clone (as source or as target) objects with a partition or service using that domain.

Or you can delete a domain using partition domaindelete if it is no longer needed.

Cloning Using an HA Group

High Availability (HA) groups duplicate key material between the HSMs in the group. This function can be used to copy all cryptographic key material from a 5.x/6.x Luna PCIe HSM 7 or USB HSM partition to a new Luna PCIe HSM 7 partition.

The new configuration's operating system must be compatible with both the new 7.x and the old 5.x/6.x hardware. Consult the 5.x/6.x CRN for a list of compatible operating systems.

To clone cryptographic keys from one HSM to another, the HSMs must share the same cloning domain. For password-authenticated HSMs, this domain should have been specified when the partition was initialized. For multifactor quorum-authenticated HSMs, the red key determines the cloning domain. You will need the same red PED key that was imprinted during 5.x/6.x partition creation to initialize the 7.x partition (see Initializing an Application Partition).

The Luna HSM Client 7/10 software should be installed, and the connection to both the source and destination HSM partitions verified, before attempting this procedure (see Luna HSM Client Software Installation for details). The source and destination partitions must both be assigned to the client machine issuing the cloning commands. Use slot list to ensure both partitions are visible to the client.

NOTE   It is not recommended to maintain an HA group with different versions of the Luna Network HSM 7 hardware.

Preconditions

The following instructions assume that:

>the 7.x client software has been installed

>an uninitialized partition has been created on the 7.x Luna Network HSM 7

>the source and destination partitions are both registered with the client (visible)

In the following examples:

>Slot 0 = the source 5.x/6.x partition

>Slot 1 = the destination 7.x partition

NOTE   Partition login name requirements have changed between hardware versions. With release 7.x, you can log in using the abbreviated po (Partition Security Officer) or co (Crypto Officer).

To clone cryptographic keys from a 5.x/6.x partition to a 7.x partition using an HA group

Follow these steps to copy cryptographic material from an 5.x/6.x partition to a new 7.x partition by creating an HA group that includes both partitions.

1.Run LunaCM, set the current slot to the SA7 partition, and initialize the Partition SO role.

slot set -slot 1

partition init -label <7.x_partition_label>

a.If you are cloning a multifactor quorum-authenticated 5.x/6.x partition, use the 5.x/6.x partition's red key when prompted.

b.If you are cloning a password-authenticated 5.x/6.x partition, enter the same cloning domain when prompted.

2.Log in as the po (Partition Security Officer) and initialize the co (Crypto Officer) role.

role login -name po

role init -name co

If you are cloning a multifactor quorum-authenticated 5.x/6.x partition, create a challenge secret for the Crypto Officer. This is required to set an HA activation policy.

role createchallenge -name co -challengesecret <password>

3.Set the current slot to the source 5.x/6.x slot, log in as the Crypto Officer.

slot set -slot 0

NOTE   Be mindful of whether you’re working with pre-PPSO or PPSO firmware and use the partition login or role login commands as specified below. Also, with PPSO firmware 6.22.0 and up, be careful with user names, i.e., type Crypto Officer in full (is case sensitive) and not co.

a.If you are cloning a release 5.x or 6.x pre-PPSO partition (up to and including Firmware 6.21.2), use:

partition login

b.If you are cloning a release 6.x PPSO partition (Firmware 6.22.0 and up) , use:

role login -name Crypto Officer

4.Optional: To verify the objects in the 5.x/6.x partition to be cloned, use:

partition contents

5.Using LunaCM, create an HA group of the 5.x/6.x slot and the 7.x slot.

NOTE   HA requires that all members have an activation policy set. See Activation on Multifactor Quorum-Authenticated Partitions for details.

a.Via LunaSH, log in as Security Officer and set policy 22 on the 5.x/6.x partition:

partition changepolicy -partition <5.x_partition_label> -policy 22 -value 1

b. In LunaCM, log in to the 7.x partition as Partition Security Officer, and set the activation policy from the client machine:

slot set -slot 1

role login -name po

partition changepolicy -policy 22 -value 1

c.Create the HA group with the 5.x/6.x partition as the primary partition. Select the "copy" option to preserve objects.

hagroup creategroup -label <group_label> -slot 0 -password <password>

d.Add the 7.x partition slot to the HA group. Repeat this step to add multiple 7.x partitions to the group.

hagroup addmember -group <group_label> -slot 1 -password <password>

6.Synchronize the group to clone the objects to the 7.x member(s).

hagroup synchronize -group <group_label> -password <password>

7.Check synchronization status of the group.

hagroup listgroups

Notice the entry "Needs sync: no". This means that the objects have been successfully cloned among all members of the HA group. You can also log in to the 7.x slot as the Crypto Officer and check the partition contents.