Backup and restore

IBM Security Key Lifecycle Manager provides a set of operations to back up and restore current, active files and data.

IBM Security Key Lifecycle Manager creates cross-platform backup files in a manner that is independent of operating systems and directory structure of the server. You can restore the backup files to an operating system that is different from the one it was backed up from. For example, you can restore a backup file that is taken on a Linux system and restore it on a Windows system.

You can use the cross-platform backup utility to run backup operation on earlier versions of IBM Security Key Lifecycle Manager and IBM Tivoli Key Lifecycle Manager to back up critical data. You can restore these backup files on current version of IBM Security Key Lifecycle Manager across operating systems.
Note: In IBM Security Key Lifecycle Manager, Version 3.0, the Solaris operating system is not supported. If you are using IBM Security Key Lifecycle Manager on Solaris systems, use the cross-platform backup utility to back up the data. You can then run the restore operation to restore data on a IBM Security Key Lifecycle Manager, Version 3.0 system that is deployed on any of the supported operating systems, such as Windows, Linux, or AIX.
Backed up files include the following data:
  • Data in the IBM Security Key Lifecycle Manager database tables
  • Truststore and keystore with the master key
  • IBM Security Key Lifecycle Manager configuration files

Your role must have permissions to back up or to restore files.

Failure to back up your critical data properly might result in unrecoverable loss of all access to your encrypted data. Do not encrypt your backup file, or store a backup file on an encrypting device. Failure to back up data might also result in a later inconsistency of the key manager and potential data loss on the storage device.

The IBM Security Key Lifecycle Manager backup and restore operations support the use of AES 256-bit key length for data encryption/decryption to conform to the PCI DSS (Payment Card Industry Data Security Standard) standards for increased data security.

Encryption methods to back up IBM Security Key Lifecycle Manager data

IBM Security Key Lifecycle Manager supports the following encryption methods for backups:
Password-based encryption
During the backup process, a password is specified to encrypt the backup key, and you must specify the same encryption password to decrypt and restore the backup files.
HSM-based encryption
You can configure IBM Security Key Lifecycle Manager to use Hardware Security Module (HSM) for storing the master encryption key. During the backup process, the backup key is encrypted by the master key, which is stored in HSM. During the restore process, the master key in HSM decrypts the backup key. Then, the backup key is used to restore backup contents.

High-performance backup and restore

High-performance backup and restore provide backup and restoration of large amounts of encryption keys. You can configure IBM Security Key Lifecycle Manager for high-performance backup and restore operations by setting the following parameter in the SKLMConfig.properties configuration file.
enableHighScaleBackup=true

When IBM Security Key Lifecycle Manager is configured for high-performance backup and restore, IBM DB2 native backup technology is used to run the backup and restore operation for more efficiency. However, with this configuration, you can restore the backup only in an identical operating environment. The operating system, middleware components, and directory structures must be identical on both systems.

You cannot create a cross-platform compatible backup file if IBM Security Key Lifecycle Manager is configured for high-performance backup and restore activities. For information about how to back up large amount of data, see Backing up large amount of data.