Migrating from a AWS CloudHSM Classic Partition

If you have an existing AWS CloudHSM Classic partition, you can migrate its key material to your new uninitialized HSM on Demand service using slot-to-slot cloning.

Migration Architecture

To migrate keys via slot-to-slot cloning, the HSM on Demand client must have active connections between both the old source AWS CloudHSM partition and the new uninitialized HSM on Demand (HSMoD) service, as shown in Figure 1.

Figure 1: Connections required for slot-to-slot cloning

To achieve this configuration, place the HSM on Demand client an Amazon EC2 instance within the same Virtual Private Cloud (VPC) as the CloudHSM. You then give the EC2 instance SSH access to the CloudHSM instance, and establish a Network Trust Link (NTL) between the HSM on Demand client and the CloudHSM partition. The connection to the HSM on Demand service is established during HSMoD client installation. This architecture is shown in Figure 2.

Figure 2: Architecture required for slot-to-slot cloning

 

CAUTION!   The NTL connection between the CloudHSM partition and the HSM on Demand client is for key migration purposes only and should be temporary. Do not attempt cryptographic operations using an HSM on Demand client and a CloudHSM partition, as they do not have full compatibility. We recommend deleting the HSM on Demand client after the migration is complete.

Migrating Keys from CloudHSM Classic to an HSM on Demand Service

Preconditions:

The following procedure assumes that:

>the source AWS CloudHSM's security policy allows cloning of private and secret keys.

>you know the cloning domain string set on the AWS CloudHSM service.

>you have not yet initialized the HSM on Demand service.

NOTE   To clone cryptographic keys from one HSM to another, the HSMs must share the same cloning domain. As a result, you must initialize the new SafeNet Data Protection On Demand using the AWS CloudHSM partition's cloning domain. The cloning domain was specified as a string when the partition was created. Contact the CloudHSM's Security Officer for this information if you did not create the CloudHSM partition yourself.

High level steps:

1.Set up a new EC2 instance to host the HSMoD client.

2.Establish SSH access between the new EC2 instance and the CloudHSM instance.

3.Create a new HSM on Demand service and service client.

4.Transfer the HSM on Demand client zip file to the EC2 instance and install the client.

5.Initialize the HSM on Demand service with the CloudHSM partition's cloning domain.

6.Establish a Network Trust Link between the HSM on Demand client and the CloudHSM partition.

7.Clone the CloudHSM partition keys to the HSM on Demand service.

To migrate cryptographic keys from an AWS CloudHSM partition to a SafeNet Data Protection On Demand partition

1.Create a new Amazon Elastic Compute Cloud (EC2) instance in the same Virtual Private Cloud (VPC) as the CloudHSM Classic with the following characteristics:

A minimal operating system Amazon Machine Image (AMI) without additional software. This procedure uses steps for Amazon Linux x86 64-bit AMI, and may require changes for different AMI types.

NOTE   We do not recommend using an EC2 instance launched from AWS CloudHSM Classic Client AMI as the included preconfigured HSM client software interferes with proper functioning of the HSM on Demand client.

A size large enough to accommodate the HSM on Demand client package and the required keys and certificates, for example, m3.medium.

A public subnet in the VPC.

A security group that allows inbound and outbound access to the internet, so that your client can reach your HSM on Demand service.

2.Establish SSH access from the EC2 instance to the CloudHSM Classic instance.

a.Copy the CloudHSM's private key file from the machine it is stored on to the ~/.ssh/ directory.

b.Modify the permissions for the private key file.

chmod 600 ~/.ssh/<private_key_file>

3.Create an HSM on Demand service and service client.

a.In a browser, log in to Data Protection on Demand as an Application Owner.

b.Under the Services tab, select the Add New Service page. Click Deploy on the HSM on Demand service tile.

c.Review the "Terms of Services DPoD." Enable the I have read and accept the Terms of Service above check box and then click Next.

d.On the Add <service_type> Service page, enter a name for the Service in the Service Name field. You can allow non-FIPS(Federal Information Processing Standard) approved algorithms by selecting the Allow non-FIPS approved algorithms check box. Click Next.

CAUTION!   If you do not select the Allow non-FIPS approved algorithms checkbox, and therefore disallow non-FIPS approved algorithms, check that your existing CloudHSM keys are FIPS approved by consulting the Mechanism Summary section in the Data Protection on Demand SDK Reference Guide. If your existing keys are not FIPS approved, you will not be able to migrate them to a service that disallows non-FIPS approved algorithms. You cannot alter this FIPS setting after creating the service. You must decide if the service should allow or disallow non-FIPS approved algorithms before clicking Finish in the next step.

e.Review the configuration summary page. If acceptable, click Finish. If you would like to make changes to the configuration, click Go Back.

When completed, you are redirected to the service details page. The new service is also listed under My Services.

f.Under Download client for service initialization, click Linux, and then Download Client for Linux. In the Create Service Client window enter a name for the service client in the Service Client Name field. Select Create Service Client.

A zip file containing the client package downloads on your browser.

4.Transfer the HSM on Demand client zip file to the EC2 instance and install the client.

a.Use pscp (Windows) or scp (Linux) to transfer the client zip file to the EC2 instance. Consult Amazon documentation to determine specific syntax and requirements for transferring files to an EC2 instance via pscp or scp.

b.Open a session with the EC2 instance.

c.Unzip the service client package.

unzip <service_client_package>.zip -d <target_directory>

d.Extract the cvclient-min.tar file.

NOTE   Extract the cvclient-min file in the directory where you extracted the <service_client_package>.zip. Do not extract to a new cvclient-min directory.

tar xvf cvclient-min.tar

e.Set the environment variable.

source ./setenv

f.Start LunaCM to ensure you can view the HSM on Demand partition.

For Linux, execute the following from the directory where you extracted the cvclient-min.tar file.

./bin/64/lunacm

An output similar to this example appears.

LunaCM v1.0.0-638. Copyright (c) 2006-2017 SafeNet.
Available HSMs:
Slot Id ->              3
Label ->                sample_HOD_service
Serial Number ->        123456789
Model ->                Luna K7
Firmware Version ->     7.1.2
Configuration ->        Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description ->     User Token Slot
Current Slot Id: 3

Take note of the service information such as the label, the serial number, the model, or the firmware version to identify the service later, as the Slot ID may change before the migration.

5.Initialize the HSM on Demand service.

a.With LunaCM set the current slot to the HSM on Demand service.

lunacm:> slot set -slot <HSM_on_demand_slot>

b.Initialize the partition and Partition Security Officer (PO), including the CloudHSM's cloning domain string as a parameter.

lunacm:> partition init -label <cryptovisor_partition_label> -domain <domain_string>

c.Log in as the po (Partition Security Officer) and initialize the co (Crypto Officer) role, setting the initial Crypto Officer password.

lunacm:> role login -name po

lunacm:> role init -name co

enter new password: ********

re-enter new password: ********

NOTE   The password for the Crypto Officer is valid for the first login only. After you complete the migration, you must change the initial password using the command role changepw -name Crypto Officer before performing role-dependent actions. Failure to change the password results in a CKR_PIN_EXPIRED error when you perform role-dependent actions.

6.Establish a Network Trust Link (NTL) to the source CloudHSM partition. The example steps below use the multi-step NTL procedure described in greater detail in AWS CloudHSM Classic documentation for configuring a Linux HSM client.

a.Use scp (Linux) to import the server certificate (server.pem) from the CloudHSM instance to the EC2 HSM on Demand client instance. You require the CloudHSM private key file configured in step 2 to connect to the CloudHSM. The below syntax imports the server.pem file to the current directory in the EC2 instance.

scp -i ~/.ssh/<private_key_file> manager@<CloudHSM_IP>:server.pem .

b.Register the HSM Server Certificate with the client, using the vtl addServer command.

./<HSM_client_directory>/bin/64/vtl addServer -n <CloudHSM_IP> -c <server.pem_location>

c.Create a certificate and private key for the client, using the vtl createCert command.

./<HSM_client_directory>/bin/64/vtl createCert -n <EC2_instance_IP>

The certificate and private key are saved to the <client_install_dir>/etc directory and are named <client_hostname_or_IP>.pem and <client_hostname_or_IP>Key.pem, respectively. The vtl createCert command displays the full path-name to the key and certificate files that were generated.

d.Export the client certificate to the CloudHSM instance using scp.

scp -i ~/.ssh/<private key file> <client cert directory>/<client name>.pem manager@<Cloud_HSM_IP_address>:

NOTE   The colon (:) after the destination is required for scp to recognize the CloudHSM destination.

e.Use the ssh command to connect to the CloudHSM.

ssh -i ~/.ssh/<private key file> manager@<HSM IP address>

f.On the CloudHSM, use the LunaSH utility's client register command to register the client. The client name must be the same name used for the createCert command. We recommend setting both the client name and the client hostname to the EC2 instance IP.

lunash:>client register -client <EC2_instance_IP> -hostname <EC2_instance_IP>

g.Restart the Network Trust Link service.

lunash:>service restart ntls

You can use the LunaSH client list command to verify the client registration.

h.Exit the CloudHSM session.

lunash:>exit

7.Clone the CloudHSM partition keys to the HSM on Demand service.

a.Launch LunaCM to ensure you can see both the HSM on Demand service slot and the AWS CloudHSM slot, as identified by label, Serial Number, HSM model, or firmware version. The slot numbers may have changed after adding the NTL link to the CloudHSM partition.

./bin/64/lunacm

LunaCM v1.0.0-638. Copyright (c) 2006-2017 SafeNet.
Available HSMs:
Slot Id ->              0
HSM Label ->            sample_CloudHSM_partition
HSM Serial Number ->    987654321
HSM Model ->            LunaSA
HSM Firmware Version -> 6.20.2
HSM Configuration ->    Luna SA Slot (PW) Signing With Cloning Mode
HSM Status ->           OK
Slot Id ->              4
Label ->                sample_HOD_service
Serial Number ->        123456789
Model ->                Luna K7
Firmware Version ->     7.1.2
Configuration ->        Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description ->     User Token Slot
Current Slot Id: 0

b.Set the current slot to the target HSM on Demand service to check the space available for your existing keys.

slot list

slot set -slot <HSM_on_Demand_Service_Slot>

partition showinfo

Partition Storage:
Total Storage Space:  324096
Used Storage Space:   0
Free Storage Space:   324096
Object Count:         0
Overhead:             9648

c.Set the slot to the AWS CloudHSM source partition. Check the used storage space to see if you can clone all objects. If your used storage space is smaller than the free storage space in the destination HSMoD service, you need to choose a subset of the partition objects to clone.

slot list

slot set -slot <AWS_CloudHSM_Partition_Slot>

partition showinfo

User Storage:
Total Storage Space:  1973132
Used Storage Space:   128
Free Storage Space:   1973004
Object Count:         1

d.Log in as the CloudHSM partition's Crypto Officer.

partition login -password

e.(Optional) To verify the objects in the AWS CloudHSM to be cloned, issue the “partition contents” command.

partition contents

f.Clone the desired objects to the HSM on Demand partition.

The -objects parameter specifies the object handles to clone using any of the following values:

a single object handle

zero (0), to indicate that all objects are to be extracted

a list of handles, separated by commas. For example: -objects 3,4,6

slot set -slot <AWS_CloudHSM_partition>

partition login -password

partition clone -objects <handles> -slot <HSM_on_Demand_service>

Enter the cloning domain when prompted.

NOTE   SafeNet Data Protection On Demand requires a different object handle format than the source partition does, and so the object handles are converted to the new format during cloning. Messages display how handles are remapped, with the format "Handle <source_partition_object_handle> on slot 0 is now handle <target_partition_object_handle> on slot 1".

g.(Optional) Verify that all objects were cloned successfully to the service by checking the partition contents.

slot set -slot <HSM_on_Demand_Service>

partition contents

You should see the same number of objects that you cloned from on the source partition. In addition, the object handles should be remapped to the values indicated during cloning.