Backing up user.db requires both CryptoServer Admin, as well as at least one User Admin (`12000000`), while the CXIKEY.db requires only a CryptoServer Admin (`02000000`). footnote:[Please see the SecurityServer administration documentation for more on permission masks and authorization levels provided, and how they are used.] Backing up individual keys or groups of keys based on their Group value, using an API's tool like `cxitool`, require Cryptographic User (`00000002`), *plus* the correct key CXI Group for the targeted keys. CXI_GROUP is a regular-expression attribute of the user, and Group is an attribute of the key, and regex matching rules are applied to provide or restrict access.
In general, to run an arbitrary command requires an authorization value of '2' in a specific field. CXI Group, key Group and "Cryptographic User" authorization (`00000002`) has the added requirement that the authorization supplied by a Cryptographic User is specifically that user's CXI Group. A user with `00000002` in CXI Group "ExmpKey", and a user with `00000000` in CXI Group "ProdKey", cannot make backups of keys in Group "ProdKey", as those "users" in the "ProdKey" group don't reach the `00000002` authorization state needed for cryptographic operations on that group.
A recommendation to use csadm and BackupDatabase to capture the entire database, or use cxitool and only make backups of specific key groups/keys will be case dependent. The simplicity in capturing an entire database may conflict with the level of granularity required, and, as always, security should not take a back seat to convenience.
The primary data to be backed up reside in the user.db (authorized CryptoServer users) and CXIKEY.db (the CXI key database). If you have custom, SDK-generated private database files, you can also use csadm BackupDatabase to capture those.
The command-line tools generally allow you to "stack" operations.
For 4.20 SecurityServer, the following script can be used as a starting point.
|
The command "stacks" two BackupDatabase commands, to capture the user and internal key databases. If you have custom databases, you can add additional BackupDatabase=<file>.db commands at the end of this command. The commands populate the working directory with the copies, which should then be treated as directed by local policy (immediate off-site copy via sftp or scp, etc).
Security-relevant data in these backup files are encrypted using the device MBK.
The combined permission for the above command should be at least (12000000). The 2 in slot 6 allows the BackupDatabase command to be run, and the 1 in slot 7 provides the authentication requirement to make a backup of the CryptoServer users database. Without the 10000000, the command would fail at attempting the backup of user.db, and all following commands would not be run.
The SecurityServer command line tools will execute command-line arguments, in general, left to right. The current session state of the command is maintained from one stacked command to the next. In the event an exception is thrown by one command, the remainder of the commands are ignored, and the session is torn down on return to the command line. You do, however, need to provide all Logon details after setting the Device (if needed), and prior to issuing any parameter, argument or command.