Migrating to/from CloudHSM

It is possible to migrate from an on-premise Primus HSM setup to CloudHSM, and vice versa.

In all cases, the steps are as follows:

1. On the source HSM:
   1. As Device Security Officer (SO), create a Partition Backup Card (yellow card).
   2. As Device SO, enable Partition Administration and onboard the Partition Security Officer (PSO, green card). This requires a Decanus Terminal.
   3. As PSO, create a Partition Backup.
2. On the target HSM:
   1. As Device SO, restore the Partition Backup. This requires the backup file, the backup password, and the Partition Backup Card.

Depending on the direction, the source and target HSMs are swapped. The steps on the source HSM need to be done by Securosys on CloudHSM, and the parts on the target HSM need to be done by the customer on the on-premise Primus HSM (or vice versa).

References

For detailed instructions, see the Knowledge Base Articles on the Support Portal:

• On-premise to CloudHSM
• CloudHSM to on-premise

Limitations

• It is recommended to only migrate between productive instances.
• It is not possible to migrate a Partition from CloudHSM Sandbox (SBX) to one of the full-production CloudHSM environments (like ECO).
• It is not possible to migrate between HSM clusters running FIPS/CC-certified firmware and normal firmware (see this Knowledge Base Article).