Backing up data with HSM-based encryption

When IBM® Security Guardium® Key Lifecycle Manager is configured with Hardware Security Module (HSM) for storing the master encryption key, you can use HSM-based encryption for creating secure backups.

Before you begin

Ensure that IBM Security Guardium Key Lifecycle Manager is configured to use HSM for storing the master key before you back up data with HSM-based encryption. For the configuration steps, see Configuring IBM Security Guardium Key Lifecycle Manager with HSM.
You must consider the following guidelines for HSM-based encryption
  • The same HSM partition must be present with all its key entries on the system where the backup file is restored.
  • Master key that you used for the backup key encryption must be intact to restore the backup file. If the master key is refreshed, all the older backups are inaccessible or unusable.
  • You must connect to the same HSM and the master key for backup and restore operations irrespective of whether you use HSM-based encryption or password-based encryption.

About this task

When you run the IBM Security Guardium Key Lifecycle Manager backup operation, a backup archive is created. The backup key in the archive encrypts backup contents. The master key in HSM encrypts the backup key. During the restore process, master key, which is stored in HSM, decrypts the backup key. Then, the backup key is used to restore backup contents. For information about HSM-based encryption, see HSM-based encryption for backups. Your role must have the permission to back up files.

IBM Security Guardium Key Lifecycle Manager creates backup files in a manner that is independent of operating systems and directory structure of the server. You can restore the backup files to an operating system that is different from the one it was backed up from.

Note: Backup success messages are system wide. Two administrators might run backup tasks that overlap in time. During this interval, the administrator who starts a second task that fails might see a false success message from the first backup task.

Procedure

  1. Go to the appropriate page or directory.
    Graphical user interface
    1. Log on to the graphical user interface.
    2. On the Welcome page, click Administration > Backup and Restore.
    REST interface
    Open a REST client.
  2. Create a backup file.
    You can run only one backup or restore task at a time.
    Graphical user interface
    1. On the Backup and Restore table, the Backup repository location field displays the default SKLM_DATA directory path, where the backup file is saved. For the definition of SKLM_DATA, see Definitions for HOME and other directory variables. Click Browse to specify a backup repository location under SKLM_DATA directory.

      Directory path in the Backup repository location field changes based on the value that you set for the tklm.backup.dir property in the SKLMConfig.properties file.

    2. Click Create Backup.
    3. On the Create Backup page, specify a description. A read-only backup file location is displayed in the Backup location field.
    4. Click Create Backup.
    REST interface
    1. Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
    2. To run the Backup Run REST Service, send the HTTP POST request. Pass the user authentication identifier that you obtained in Step a along with the request message as shown in the following example.
      POST https://localhost:port/SKLM/rest/v1/ckms/backups
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth authId=139aeh34567m
Accept-Language : en
{"backupDirectory":"/sklmbackup1"}
  3. A message indicates that the backup file was created, or that the backup operation succeeded.

    The time stamp on a backup file has a Greenwich Mean Time (GMT) offset represented in RFC 822 format. The file name contains a +hhmm or -hhmm element to specify a timezone ahead of or behind GMT. For example, a file name might be sklm_v3.0.1.0_20170123144220-0800_backup.jar, where -0800 indicates that the timezone is eight hours behind GMT.

What to do next

Do not edit a file in the backup JAR file. The file that you attempt to edit becomes unreadable. Master key that was used for the backup key encryption must be intact to restore the backup file. If the master key is refreshed, all the older backups are inaccessible or unusable.