PreviousNextUp[Front page] [Index]

Key backup with nCipher HSMs

When the key or security world is generated, the encrypted version of the data is stored to the kmdata directory (c:\nfast\kmdata in Windows, and /opt/nfast/kmdata/ in Unix) and its subfolders, which should be included in the backup regime. See also Section ssh-ca-backup.

If the entire nCipher device was rendered unusable or/and the security world was lost, the prerequise for the keys to be used is that the security world is restored. The security world is restored by restoring the contents of the kmdata directory and its subdirectories from backup, and then using KeySafe or a command-line command (new-world -l).

If the same security world is available for the keys, and the operator card is available, the key can be "restored" just by copying the key files from the backup to the kmdata/local directory.

It is a good failsafe practice to have a nCipher HSM with the same security world installed on a spare HSM in case the computer and the original HSM are damaged. If the new HSM contains the same security world, the backed up keys are easier to take into use.

The security world is stored in the world file, encrypted with the Administrator Card Set. If you need to restore the security world, you need to have both the Administrator Card and the world file available.

When you create the key, you can define whether the key can be restored (= Recovery feature in KeySafe). When you set this flag, the keys can be used with a replaced card set. Without that flag, the keys can be only used with the card set that was used to create the key.

Having listed all the precautions, it is worth noticing that SSH has been using nCipher HSMs for more than 3 years without a single hardware failure, so the precautions listed may sound overkill. However, the change of a CA key is such a drastic operation, that all the precautions should be used to avoid it.


PreviousNextUp[Front page] [Index]