You will usually use the WebConf installation option Restore system from backup to restore a standalone system. In a cluster environment, only restore a backup in an utmost emergency, for example, if all cluster nodes are non-operational. If at least one cluster node is still operational, you should always reconfigure a broken cluster from the last remaining node.

For general information about clustering and High Availability (HA) setup, see  Availability and Clustering.
For information on how to proceed with either bringing back a Hardware Appliance into your cluster or, as a last resort, restore a cluster node from backup, see Backing Up a Cluster.

To restore from a backup of versions smaller than 3.0.0, you must first restore to version 3.3.0.!


You will need the following for restoring the system from a backup:

  • Physical access to the Hardware Appliance:
    You can only restore a backup file to a fresh and unprovisioned machine.
  • Backup file on a Network File System (NFS) share or on a USB stick
  • Domain Master Secret:
    You specified that when installing the first machine of your environment.
  • Security level requirements:
    PIN pad, the persons with their smart cards and their PINs.

For more information on the Domain Master Secret, the Appliance Security Level, and smart cards, see Initial Set-up > Step 5: Running WebConf Wizard, sections Hardware Security Module Settings and Security Settings - Secrets

Product size variations

You can only restore a backup to a matching or bigger product size version. For example, a backup from a model M product size can only be restored to hardware of M or L product size. For more information on Hardware Appliance models, see Model Specifications.

Restoring the System from a Backup

Proceed as follows to restore a standalone system from a backup:

  1. Follow the steps described for the Initial Set-up until you reach the WebConf wizard's page with installation options.
  2. Click the installation option Restore system from backup to open the corresponding wizard page:

  3. Date and Time Settings: Make sure Time Zone, Date and Time are correct.
  4. Select backup: Enter the connections details of your NFS server and select your backup. Alternatively, select the backup on a USB stick.
  5. Backup protection: Enter the Domain Master Secret for your backup and click Verify.
  6. Confirm: If desired, select the appropriate options for migrating your HSM key material:
    Migrate PKCS#11 R1 ... to PKCS#11 R2...:
    Activate this option to migrate your HSM key material from PKCS#11 R1 to PKCS#11 R2 during the backup process. Keyfactor offers this migration process in preparation for phasing out PKCS#11 R1 support since PKCS#11 R1 has been deprecated by the HSM vendor. If unsure, you can safely skip this option, as we are still supporting PKCS#11 R1.

    Migrate HSM key material into FIPS mode:
    Activate this option to load and activate the FIPS firmware module during the backup process. This will enforce restrictions that are required by the FIPS 140-2 standard.
    The migration to FIPS mode is only available for PKCS#11 R2. For PKCS#11 R1 backups, the option becomes visible when you also activate Migrate PKCS#11 R1 ... to PKCS#11 R2.... The migration steps will then be performed one after the other when restoring the backup.

  7. Click Restore system using this backup. Depending on the configuration of your initial system, you will be prompted to connect a PIN pad and provide the backup protection smart cards.
    Restoring the backup can take up to several hours depending on the size of your backup.
  8. At the end of the restore procedure, you are prompted to reboot the system.

On the rebooted system, the configuration from the backup is restored. This includes, for example, the IP address and the SuperAdmin certificates.

Migration options in Confirm section

Depending on your backup file, the section Confirm appears with the migration options Migrate PKCS#11 R1 ... to PKCS#11 R2... and/or Migrate HSM key material into FIPS mode:

With these options, the backup process will migrate your HSM key material from PKCS#11 R1 to PKCS#11 R2 and/or migrate the HSM key material into certified FIPS mode. For more details, please refer to the migration information in Migration Workflows.