Procedure: Key backup and recovery

Written by Rick van Rein in category: Crypto, Procedures

Making backups is a regular task. Recovering from a backup is only done when both Hardware Securite Modules (or HSMs) have lost their data; if only one got damaged, follow the procedure for HSM replacement.


  • Keys may never be used for signing before they are backed up.
  • Sufficent keys must always be available for signing until the next scheduled backup.

Key backup is important because it enables the recovery of keys in case of same-time trouble in both the HSM locations. By their nature, a HSM will not release private key information and as a consequence the loss of an HSM means the loss of all private key material contained in it.
Keys may not be used for signing before they are backed up because that would make it impossible to fully rely on the backup for recovery of all zones.
Sufficient key material must be available to rollover keys until the next backup because it is undesirable if rollovers cannot complete simply because no backup has been made.


Key backup:

  1. Prepare OpenDNSSEC for key backup
  2. Remove the/a backup token from its secure storage location
  3. Plug the backup token into the HSM
  4. Instruct the HSM to make a backup of the HSM contents
  5. Remove the backup token from the HSM
  6. Return the backup token in its secure storage location
  7. Instruct OpenDNSSEC if the keys were properly backed up

Key recovery:

  1. Be certain that both HSMs have lost the keys needed by OpenDNSSEC, because it would otherwise be better to recover at the HSM-level
  2. Ignore OpenDNSSEC, which will complain heavily
  3. Order new HSMs and install them as their manual dictates
  4. If delivery takes longer than 3 days, consider rolling zones to insecure DNS by removing their DS in the parent; signatures will expire if they are not refreshed
  5. Remove the backup token from its secure storage location
  6. Follow HSM manufacturer’s procedures for recovery from backup token
  7. After removal from the HSM, return the backup token to its secure storage location