4 maintaining the skm, Backup and restore overview – HP Secure Key Manager User Manual
Page 95
4 Maintaining the SKM
Backup and restore overview
Clustering SKM nodes is an effective way of exchanging keys and configuration data to allow for
failover, but it is not the complete solution for protecting the SKM environment. Perform regular backups
of the SKM nodes to ensure that your encryption solution is protected in a disaster-recovery scenario.
In addition, if connectivity between nodes is lost, even for a brief time, the nodes can become
out-of-sync—one node might have keys from a library that were not replicated across the cluster, for
example. In this event, using the backup utility is critical to being able to distribute the unreplicated
keys to the other cluster nodes. Because of this out-of-sync possibility, it is necessary to back up each
SKM node, even in a clustered environment. Since this could affect several nodes, some of which
might be in offsite locations, it is best to develop a way to automate those backups to make
administering the SKMs easier.
The SKM provides three ways of backing up the keys and configuration. There are advantages and
disadvantages to each method.
•
Backing up internally to the SKM is the quickest and most secure way of running a backup, but
provides no disaster-recovery protection and must be performed manually.
•
Backup by downloading the data via browser (this encrypts and saves the data to the local computer
via the browser interface) provides disaster-recovery protection since the data is stored outside
the SKM and is OS independent (because the browser handles the transfer), but again must be
run manually.
•
Backup to an external server using SCP (secure file transfer) to copy the backup file provides both
disaster-recovery protection and the ability to be automated, but SCP is an older secure protocol
and, if the desire is to send the data to a Windows server, requires additional software as SCP
is not a recognized protocol on Windows. SCP still works to secure the backup data, however,
and so this method is the preferred solution for backing up the SKM.
To read more about how to copy settings between devices, please see
.
The HP StorageWorks Secure Key Manager's backup mechanism allows you to achieve two important
objectives: (1) back up information on the device to be restored in case of a failure, and (2) copy
configuration information between devices. Once a device is fully configured with networking
information, certificates, and user accounts, we recommend that the entire configuration be backed
up. Likewise, when you make changes to your configuration, update your backup files.
When restoring a backup, you can select which components of the backup file to restore. In general,
once you select which items to restore, the current settings for those items are cleared from the SKM
before the settings from the backup file are restored in their place. So if you restore a backup that
contains Users & Groups, you can expect that any settings you configured previously for Users &
Groups will be overwritten by the configuration from the backup file. No other configuration items
are affected by the restore operation.
Restoring keys, certificates, or local CAs, in contrast, is an additive process. The SKM adds the keys,
certificates, and local CAs from the backup file to the existing set of keys, certificates, and CAs. This
is because keys, certificates, and local CAs are unique cryptographic objects that cannot be recreated.
Secure Key Manager
95