You will usually use the WebConf installation option Restore system from backup to restore a standalone system. In a cluster environment, only restore a backup in an utmost emergency, for example, if all cluster nodes are non-operational. If at least one cluster node is still operational, you should always reconfigure a broken cluster from the last remaining node.

For general information about clustering and High Availability (HA) setup, see  Availability and Clustering.
For information on how to proceed with either bringing back a Hardware Appliance into your cluster or, as a last resort, restore a cluster node from backup, see Backing Up a Cluster.

As of version 2.4.0, the Hardware Appliance will not be able to restore from backup data created on a Hardware Appliance with versions older than 2.2.0.


You will need the following for restoring the system from a backup:

  • Physical access to the Hardware Appliance:
    You can only restore a backup file to a fresh and unprovisioned machine.
  • Backup file on a Network File System (NFS) share
  • Domain Master Secret:
    You specified that when installing the first machine of your environment.
  • Security level requirements:
    PIN pad, the persons with their smart cards and their PINs.

For more information on the Domain Master Secret, the Appliance Security Level, and smart cards, see Initial Set-up > Step 5: Running WebConf Wizard, sections Hardware Security Module Settings and Security Settings - Secrets

Product size variations

You can only restore a backup to a matching or bigger product size version. For example, a backup from a model M product size can only be restored to hardware of M or L product size. For more information on Hardware Appliance models, see Model Specifications.

How to restore the system from a backup

Proceed as follows to restore a standalone system from a backup:

  1. Follow the steps described for the Initial Set-up until you reach the WebConf wizard's page with installation options.
  2. Click the installation option Restore system from backup to open the corresponding wizard page:

  3. Date and Time Settings: Make sure Time Zone, Date and Time are correct.
  4. Select backup: Enter the connections details of your NFS server and select your backup.
  5. Backup protection: Enter the Domain Master Secret for your backup and click Verify.
  6. Click Restore system using this backup. Depending on the configuration of your initial system, you will be prompted to connect a PIN pad and provide the backup protection smart cards.
    Restoring the backup can take up to several hours depending on the size of your backup.
  7. At the end of the restore procedure, you are prompted to reboot the system.

The rebooted system will have the configuration restored from the backup. This includes, for example, IP address and SuperAdmin certificates.

Migration option in Confirm section

As of version 3.6.0, the section Confirm appears with the option Migrate PKCS#11 R1.... By default, the option is deactivated:

If you activate the option, the backup process will also migrate your HSM key material from PKCS#11 R1 to PKCS#11 R2. If unsure, you can safely skip this section, as we are still supporting PKCS#11 R1.

PrimeKey offers the migration process in preparation for phasing out PKCS#11 R1 support since P11-R1 has been deprecated by the HSM vendor. For more details, please refer to the migration information available on the PrimeKey Support Portal (for customers with a valid support contract and support portal access).