[Opendnssec-user] Questions about SoftHSM and 'ods-ksmutil backup'

Jake Zack jake.zack at cira.ca
Fri Sep 25 14:11:16 UTC 2015

Sorry for my bad nomenclature in my original request.

I’m pre-populating HSM’s with keys, so no worries there about backups of that…I’m merely trying to sync kasp db’s.

I was hoping to do it without needing to restart ods-enforcerd.

I just find it odd that if I can do ‘ods-ksmutil backup …’ commands to generate a kasp.db.backup…that I can’t restore from that backup on the same server and/or a different server seamlessly.


From: Rickard Bellgrim [mailto:rickard at opendnssec.org]
Sent: Friday, September 25, 2015 2:03 AM
To: Rick van Rein
Cc: Jake Zack; opendnssec-user at lists.opendnssec.org
Subject: Re: [Opendnssec-user] Questions about SoftHSM and 'ods-ksmutil backup'

On Thu, Sep 24, 2015 at 4:55 PM, Rick van Rein <rick at openfortress.nl<mailto:rick at openfortress.nl>> wrote:

The SQLite backups are made at the database level, and that is the level at which you should look for tooling support for import / recover the backup.  The default procedure in lieu of any would be to stop KASP, replace the database with the newly copied backup, and bring the KASP backup.

Also, there are no keys in the KASP database, only the metadata about them. The keys are stored in the HSM. In SoftHSM, the keys are stored in the token database according to softhsm.conf. The README have more information on the backup procedures.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20150925/a144a4f9/attachment.htm>

More information about the Opendnssec-user mailing list