Migrating the HSM Key Material from PKCS#11 R1 to PKCS#11 R2
The following provides instructions for migrating the HSM key material from PKCS#11 R1 to PKCS#11 R2. For more information on migrating to FIPS mode, see Migrating the HSM to certified FIPS (Federal Information Processing Standards) mode.
Background
Since its firmware version 3.3.0, the Hardware Appliance supported two versions of the Hardware Security Module (HSM) PKCS#11 Stack: The versions PKCS#11 R1 and PKCS#11 R2. The vendor of the HSM, however, has deprecated PKCS#11 R1. The successor PKCS#11 R2 has by now reached a high degree of maturity.
As of Hardware Appliance Firmware version 3.6.0, PrimeKey offers a migration process. You can migrate your HSM key material from PKCS#11 R1 into PKCS#11 R2. Thus, you can prepare for the future and leave behind deprecated software stacks.
The migration is possible on old hardware as well as on new hardware. The following sections lead you through the individual steps of the migration and also name its limitations.
Restriction of PKCS#11 R1
Operating the Hardware Appliance in certified FIPS mode is only possible with the HSM version PKCS#11 R2. The migration process described below therefore offers the two migration steps in one: When you activate the option Migrate PKCS#11 R1 you can also activate the option Migrate HSM key material into FIPS mode.
For more information on migrating into FIPS mode, see Migrating the HSM to certified FIPS (Federal Information Processing Standards) mode.
Determine the PKCS#11 version
Proceed as follows to find out your current PKCS#11 version.
On your Hardware Appliance, go to the WebConf tab HSM > Overview. You will find the PKCS#11 version in the line PKCS#11 Variant:
Migrating the HSM key material
The migration of HSM key material is implemented as a restore migration. You migrate your HSM key material by restoring a Hardware Appliance from a backup.
To migrate your HSM key material:
- Shut down your application/operation.
Go to the WebConf tab Backup > Manual Backup and create a backup of the Hardware Appliance.
Perform the installation steps described in the section Initial Setup, starting with Step 1: External Erase and Factory Reset.
When the WebConf wizard starts, select the option Restore system from backup:
Set the date and time and select the backup file that you want to use:
Enter the Domain Master Secret that secures the backup and click Verify:
The option Migrate PKCS#11 R1 appears. Activate it to confirm the migration.
With the activation of Migrate PKCS#11 R1 the option Migrate HSM key material into FIPS mode appears. Activate the option if you want to load and activate the FIPS firmware module during the backup process:
For more information refer to the section Migrating the HSM to certified FIPS (Federal Information Processing Standards) mode.Click Restore system using this backup to continue the usual Restore system from backup procedure. The actual migration is performed in the background.
You can use any PKCS#11 R1 Hardware Appliance backup for the migration. There is no need to upgrade your system to the 3.6.0 Hardware Appliance Firmware first. This means that you can first try out the migration on dedicated hardware with an old backup. In a next step, you can then perform the migration and plan for downtime.
Migrating in a cluster
Also in a cluster, the procedure is identical to a normal backup and restore cycle in a cluster.
To migrate in a cluster:
- Take down the entire cluster node by node
- Update the Hardware Appliance software
- Restore the backup to node 1 and then rebuild the cluster by adding the other nodes with new cluster setup bundles.