Backing Up k570 Root of Trust Keys

The Thales CipherTrust Manager k570 appliance embeds a Luna PCIe HSM, to act as root of trust, storing root of trust keys in a partition.

For redundancy, you can backup the root of trust keys from a password-authenticated Luna PCIe HSM to a Luna Backup HSM. You can then restore the root of trust keys on to a different Thales CipherTrust Manager k570 appliance to meets the required configuration.

Supported Luna Backup HSMs are:

• Luna Backup HSM 7 v1

• Luna Backup HSM 7 v2

• Luna Backup HSM G5

High-level workflow:

1. Fulfill the prerequisites, including ensuring the target k570 to restore to meets the required configuration.

2. Establish connections between all the devices, client workstation, source k570, and Luna Backup HSM.

3. Backup the root of trust keys.

4. Establish connections between all the devices, client workstation, target k570, and Luna Backup HSM.

5. Restore the root of trust keys to a new k570.

Prerequisites

• You require ksadmin level access to the CipherTrust Manager with an SSH key.

• Obtain Luna HSM Client from the Thales customer support portal.

  We recommend version 10.4.0 or higher, for full compatibility with all Luna Backup HSM models and the k570.

• Make sure the target CipherTrust Manager k570 to be restored to meets the required configuration.

Required Target Thales CipherTrust Manager k570 Configuration

Before you can restore keys into a CipherTrust Manager k570 appliance, you must ensure that there are no root of trust keys already present on the Luna PCI HSM.

New k570 Appliance

For a new k570 appliance which has never been deployed:

1. Proceed with Thales CipherTrust Manager k570 physical appliance deployment, including initializing the Luna PCIe HSM partition.

2. Do not setup the root of trust HSM before restoring root of trust keys.

   If you have set up the root of trust HSM, follow the steps for existing k570 appliance.

Existing k570 Appliance

For a k570 which has a root of trust HSM configured, or has ever contained data such as keys or users:

1. Perform a system backup to retain any keys or users. Do not use the tied to HSM option.

2. Perform a system reset of the appliance.

3. As the Crypto Officer, log into the partition and delete any keys remaining on the Luna PCIe HSM partition.

   1. SSH in as ksadmin, and execute "/usr/safenet/lunaclient/bin/lunacm" utility.

   2. Find and login to the User Token Slot.

      lunacm:> slot list
      

      Notice the slot with the slot description "User Token Slot".

      lunacm:> slot set -slot <slot number of user-token-slot>
      

   3. Login as the Crypto Officer.

      lunacm:> role login –name co
      

   4. Clear all the keys present in the partition. You are prompted to confirm.

      lunacm:> partition clear
      

   5. List the partition contents to make sure there are no objects remaining.

      lunacm:> partition contents
      

   6. Exit the lunacm utility.

Required Network Setup

With the Luna PCIe HSM and a LunaCM client embedded in the Thales CipherTrust Manager k570 appliance and hardened USB access, backup and restore requires a specific networking setup for all components.

You must install the Remote Backup Server (RBS) on a workstation. RBS acts as a client to the Luna Backup HSM, and the Luna PCIe HSM acts as a client to RBS. RBS connects to the Luna Backup HSM through a local USB connection. The k570 PCIe HSM uses the vtl utility to connect to RBS over port 1792.

Establish connections

1. Use the provided USB cable to connect the Luna Backup HSM to the client workstation.

2. Install Luna HSM Client on your client workstation, including the Backup component.

3. Find the rbs program included in the Luna client installation.

   The default path on Windows is C:\Program Files\SafeNet\LunaClient\rbs.exe, and the default path on Linux is /usr/safenet/lunaclient/rbs/bin.

4. Run the command rbs --config to select the Luna Backup HSM device.

   When you have specified your selection, enter X to exit the configuration tool.

5. If a server key and password don't exist for RBS, generate a new key with command rbs --genkey and enter a new RBS password when prompted.

   The certificate is generated in:

   • Linux/UNIX: <LunaClient_install_directory>/rbs/server/server.pem

   • Windows: <LunaClient_install_directory>\cert\server\server.pem

6. Start the rbs server on port 1792 with the command rbs s -port 1792. Enter the RBS password that you created in the previous step.

7. Securely transfer the server.pem certificate on the client workstation to the CipherTrust Manager k570 using scp. The certificate is located at C:\Program Files\SafeNet\LunaClient\certs\server\server.pem.

8. SSH into the CipherTrust Manager k570 as ksadmin.

9. Change into the directory containing the vtl utility. The vtl utility is located at /usr/safenet/lunaclient/bin/vtl.

10. Use vtl to connect the Luna PCIe HSM to the RBS client workstation.

    ./vtl addserver -n <client_workstation_ip_address> -c <path_to_the_server.pem>
    

11. Verify the Luna Backup HSM is visible with vtl.

    ./vtl listservers
    

Back up the Root of Trust Keys

1. Establish connections between all the devices, client workstation, source k570, and Luna Backup HSM.

2. Still in an SSH session as ksadmin, execute "/usr/safenet/lunaclient/bin/lunacm" utility.

3. Identify the three visible slots, and note the displayed Slot Id for each slot. The Slot Description field indicates each slot's purpose.

   • User Token Slot contains the k570 root of trust keys, and is the authorization point for access to the keys.

   • Admin Token Slot is the slot for configuring Luna PCIe HSM overall.

   • Net Admin Token SLot indicates the Luna Backup HSM device.

4. Switch to the slot for the User Token Slot.

   slot set -s <user_token_slot_id>
   

5. Login as the Crypto Officer. Use the password or challenge secret configured during deployment.

   role login -n co -p <crypto_officer_password>
   

6. Backup the partition contents, including root of trust keys, to the Luna Backup HSM. This process creates a new partition on the Luna Backup HSM. You set a security officer password for the Backup HSM, and set a partition name, cloning domain, and partition password for the new partition.

   partition archive backup -s <net_admin_token_slot> -partition <a_backup_partition_name> -do <cloning_domain_name> -sop <backup_hsm_security_officer_password> -pas <partition_password_on_backup>
   

Restore the Root of Trust Keys to a Different k570 Appliance

1. Establish connections between all the devices, client workstation, target k570, and Luna Backup HSM.

2. Still in an SSH session as ksadmin, execute "/usr/safenet/lunaclient/bin/lunacm" utility.

3. Identify the three visible slots, and note the displayed Slot Id for each slot. The Slot Description field indicates each slot's purpose.

   • User Token Slot is the target slot which will contain the k570 root of trust keys, and act as the authorization point for access to the keys.

   • Admin Token Slot is the slot for configuring Luna PCIe HSM overall.

   • Net Admin Token SLot indicates the Luna Backup HSM device.

4. Switch to the slot for the User Token Slot.

   slot set -s <user_token_slot_id>
   

5. Login as the Crypto Officer. Use the password or challenge secret configured during deployment.

   role login -n co -p <crypto_officer_password>
   

6. Restore the root of trust keys from the backup device slot. Provide the backup HSM's partition name, cloning domain, security officer password, and partition password values set during backup.

   partition archive restore -s <net_admin_token_slot> -partition <the_backup_partition_name> -do <cloning_domain_name> -sop <security_officer_password> -pas <partition_password_on_backup>
   

7. Proceed to configure the Luna PCIe as the Root of Trust.

   You require the 'partition-label' and the 'partition challenge' created during the HSM initialization procedure.

   Note

   If your backup file contained multiple root of trust keys, by default the oldest root of trust key becomes active.

8. (Optional) If you have restored multiple root of trust keys, you can rotate the active key to the newest root of trust key, if desired.