HSM-based encryption for backups

You can configure IBM® Security Key Lifecycle Manager to use Hardware Security Module (HSM) for storing the master encryption key, which protects the key materials that are stored in the database.

When you run the IBM Security Key Lifecycle Manager backup operation, a backup archive is created. The backup key in the archive encrypts backup contents. The master key in HSM encrypts the backup key. During the restore process, master key, which is stored in HSM, decrypts the backup key. Then, the backup key is used to restore backup contents.

If you use HSM to store the master key, the backup archive contains the following files:

Manifest file, which lists all the IBM Security Key Lifecycle Manager data files in the archive.
IBM Security Key Lifecycle Manager configuration files
IBM Security Key Lifecycle Manager data dumps

HSM-based encryption is the default method for the backups when HSM is configured to store the master key. You can also use the password-based encryption for the backups when HSM is configured by setting the following property in the SKLMConfig.properties file.

enablePBEInHSM=true

Note:

If HSM is not configured, you can only use password-based encryption for the backups.
If the value for enablePBEInHSM is not set or set to any other value than true, the value is assumed as false.
You can restore the backup file that is created by using either password-based or HSM-based encryption irrespective of the value set for enablePBEInHSM.