Primus HSM - Backup and Restore
Backup and restore functionality in the Primus HSM is essential for maintaining operational resilience and ensuring that critical cryptographic material, configurations, and audit data can be recovered in the event of hardware failure, misconfiguration, or data loss. Regular backups help safeguard against unexpected incidents and support business continuity, especially in regulated or high-security environments.
This chapter explains the types of backups available, their contents, and the procedures for securely restoring data to the original or a replacement device. Understanding the backup and restore process is vital for secure lifecycle management of the HSM.
The purpose of a backup is to allow restoration of device data that was previously saved, ensuring continuity in case of failure or loss. Backups must be stored securely and are protected by a Restore Password to prevent unauthorized access. Operational procedures must ensure the safe handling and storage of backup files.
A backup can only be restored to the original device it was created on. To restore it on a different device the Restore Encryption PIN (REP) from the original device is required.
The following table outlines the available backup types and the data each includes:
| Content | Device Backup | Mgmt Backup | User Backup |
|---|---|---|---|
| User(s) (=partition) | ✓ | ✘ | Single user |
| User policy configuration | ✓ | ✘ | ✓ |
| User credentials | ✓ | ✘ | ✓ |
| User keys, certificates, and objects | ✓ | ✘ | ✓ |
| PSO operators | ✓ | ✘ | ✓ |
| Security configuration | ✓ | ✓ | ✘ |
| Network configuration | ✓ | ✓ | ✘ |
| Master / Clone state / cluster pairing | ✓ | ✓ | ✘ |
| SO operators | ✓ | ✓ | ✘ |
| Decanus Device Management pairings | ✓ | ✓ | ✘ |
Primus HSM backup types and data
Overview of possible restore actions and their requirements:
- Restore Device Backup on same device
- Restore Device Backup on a different device
- Selective User Restore from Device Backup on same device
- Restore Decanus Partition Backup on HSM,
After restoring a device backup, the same SO cards and associated PINs are required as before the backup. Do not overwrite or destroy your SO Cards. The SO Cards and Pins from the backup are valid after the restore.
The authentication mode before restoring MUST be equal to the authentication mode during backup.
Backup and restore actions block the user API for data consistency. Automated non-blocking backup has to be performed on a clone without user client access.
Backup and Restore with Password on Primus HSM
Create Device Backup with Password
Creating a secure backup allows the administrator to preserve the HSM’s full system state, including sensitive cryptographic material. This backup can later be used to restore the system (or specific partitions) in the event of failure, re-initialization, or transfer.
Backup creation requires the activation of the Security Officer (SO) role and Genesis role, and must be performed to a connected USB or WebDAV storage. During the process, a Restore Password is generated and displayed.
The Restore Password must be securely stored. If the Restore Password is lost, the backup cannot be restored, resulting in permanent data loss.
Restore Device with Password
A full device restore reverts the HSM to a previously saved state using a password-protected backup. This procedure may be initiated after a factory reset or during the initial wizard. It is also available via the Decanus management interface.
Before starting the restore process, ensure the device is configured with the same authentication mode as it was during the backup.
If the USB stick contains multiple backup files, the system displays a selection list (up to 8 files) from which the desired backup can be chosen.
Restore Backup on New Device with Password
In cases where the original device is no longer functional, a backup can be restored to a new Primus HSM. This procedure requires additional verification to ensure secure transfer of sensitive data across hardware.
If the backup includes paired Decanus configurations, new pairing data will be written to the USB device during the restore.
To restore a backup on a new device, the following are required:
- Genesis role on the new HSM
- Restore Encryption PIN (REP) from the original (now obsolete) device, see Obtain Restore Encryption PIN
- Backup file with corresponding restore password
Obtain Restore Encryption PIN
The Restore Encryption PIN (REP) is a security mechanism that enables the transfer of backup data to a different physical HSM. It serves as a secondary protection measure in case restoration must occur on hardware other than the original.
The REP can be retrieved using both the SO and Genesis roles, and should ideally be exported after the initial setup of the device and stored securely for future recovery needs.
Selective Restore (Restore User)
Selective restore allows for restoring only a specific user Partition, rather than the entire HSM. This can be useful in cases where only a portion of the device's functionality needs to be recovered.
Although a full device backup is still required as the source, only the selected Partition will be restored. The process can be applied to the same HSM or a different one, provided the REP is available.
Refer to the backup types and data table at the beginning of this page for details on the contents of the User Backup.
In high availability (HA) clusters, the restore must be performed on the master node. Before restoring, ensure all sessions on clone nodes are closed. Selective restore can also restore a user with SO access previously disabled.
Validate Restore Password
Backup validation ensures that the restore password is correct and matches the backup file and device firmware. This procedure is useful to confirm the viability of a backup without executing a full restore.
The validation process checks whether the backup file can be successfully decrypted using the restore password and system credentials. It does not perform a system restore.
Validation must be carried out on the same device where the backup was originally created.
Management Backup
Management backups are designed for administrative or regulatory use cases, such as those requiring compliance with privacy regulations like GDPR. Unlike full device backups, management backups exclude key store data (e.g., users and cryptographic keys), focusing instead on configuration and operational settings.
This feature is intended for CloudHSM providers and requires a standard backup/restore license. The creation process is nearly identical to the Create Device Backup with Password procedure, but excludes sensitive user data.
Automated Backup
Device backups can be automated to schedule periodically, which requires a specific license and SO privileges to configure.
It’s strongly recommended to create a standard device backup first, as automated backups cannot be restored directly to a new device without it. Automated backups use a dedicated, cluster-synchronized backup key, allowing selective user restoration on the Master HSM from a Clone HSM backup.
Restore Decanus Partition Backup on HSM
The Decanus Terminal Partition Administration provides the ability to back up and restore user Partitions individually. This approach is ideal for Partition level migrations or targeted recovery. The process requires a Partition Backup Card to be created.
The Partition Backup Card can be created anytime but requires 2FA authentication mode enabled, SO rights and Partition management enabled on the specific Partition.
This method enables seamless Partition transfer between devices (or CloudHSM) while maintaining security and compliance.
Restoration can be performed:
- On the same HSM via Decanus Partition Administration, as long as the original Partition still exists
- On a different HSM, which requires:
- Two-factor authentication (2FA) on both devices
- The Partition backup file and restore password
- The Partition Backup Card