Hi Paul,
My perspective is that if you prepare in advance, there are two ways to deal with restoring these keys.
If you haven't prepared in advance, I think you will be stuck with revoking the old keys and getting new ones signed.
Options if prepared in advance.
- If you store your keys (and associated passphrases) in a secure (preferably offline) storage vault, you can retrieve them and upload to the new appliance.
- You can establish a cluster of datapower appliances with HSMs, you can create a key wrap key and then you can export the keys from one appliance (wrapped in the key wrap key), establish the key wrap key on the restored appliance, and then import the wrapped keys that were exported.
The key wrap setup is somewhat complex, but is documented...https://www.ibm.com/docs/en/datapower-gateway/10.0.x?topic=module-cloning-hsm-key-wrapping-keys.
Once your key wrap keys are in place, you can then follow the export and import instructions to move your keys around between HSMs
https://www.ibm.com/docs/en/datapower-gateway/10.0.x?topic=certificates-exporting-keys
https://www.ibm.com/docs/en/datapower-gateway/10.0.x?topic=certificates-importing-keys
As I mentioned, if you haven't prepared in advance to be able to restore your keys, then you will need to create new keys and revoke the old ones.
Regards,
------------------------------
Neil Casey
Senior Consultant
Syntegrity Solutions
Melbourne, Victoria
IBM Champion (Cloud) 2019-22
------------------------------
Original Message:
Sent: Sat June 03, 2023 11:39 AM
From: Paul Dango
Subject: HSM Keys
HI All,
The secure backup does not include "Keys on the HSM" as per the documentation.
How are these keys then recreated after performing a secure restore?
Does an export of these keys have to be executed in addition to performing the secure backup? After the secure restore, import these keys?
Thanks,
Paul