View Only
  • 1.  HSM Keys

    Posted Sat June 03, 2023 11:40 AM
    HI All,

    The secure backup does not include "Keys on the HSM" as per the documentation.

    How are these keys then recreated after performing a secure restore?  

    Does an export of these keys have to be executed in addition to performing the secure backup?  After the secure restore, import these keys?



  • 2.  RE: HSM Keys

    IBM Champion
    Posted Mon June 05, 2023 01:03 AM

    Hi Paul,

    My perspective is that if you prepare in advance, there are two ways to deal with restoring these keys.

    If you haven't prepared in advance, I think you will be stuck with revoking the old keys and getting new ones signed.

    Options if prepared in advance.

    1. If you store your keys (and associated passphrases) in a secure (preferably offline) storage vault, you can retrieve them and upload to the new appliance.
    2. You can establish a cluster of datapower appliances with HSMs, you can create a key wrap key and then you can export the keys from one appliance (wrapped in the key wrap key), establish the key wrap key on the restored appliance, and then import the wrapped keys that were exported. 

    The key wrap setup is somewhat complex, but is documented...

    Once your key wrap keys are in place, you can then follow the export and import instructions to move your keys around between HSMs

    As I mentioned, if you haven't prepared in advance to be able to restore your keys, then you will need to create new keys and revoke the old ones.


    Neil Casey
    Senior Consultant
    Syntegrity Solutions
    Melbourne, Victoria
    IBM Champion (Cloud) 2019-22