Skip to content

Commit 5744a93

Browse files
American-DipperAmerican-Dipper
authored
Merge pull request #271554 from chen-karen/patch-2
Update disaster-recovery-guide.md
2 parents c55fc37 + ad4bd77 commit 5744a93

File tree

1 file changed

+15
-7
lines changed

1 file changed

+15
-7
lines changed

articles/key-vault/managed-hsm/disaster-recovery-guide.md

Lines changed: 15 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -74,23 +74,31 @@ At this point in the normal creation process, we initialize and download the new
7474
az keyvault security-domain init-recovery --hsm-name ContosoMHSM2 --sd-exchange-key ContosoMHSM2-SDE.cer
7575
```
7676

77-
## Upload Security Domain to destination HSM
77+
## Create a Security Domain Upload blob of the source HSM
7878

7979
For this step you'll need:
8080
- The Security Domain Exchange Key you downloaded in previous step.
8181
- The Security Domain of the source HSM.
8282
- At least quorum number of private keys that were used to encrypt the security domain.
8383

84-
The `az keyvault security-domain upload` command performs following operations:
84+
The `az keyvault security-domain restore-blob` command performs following operations:
85+
- Decrypt the source HSM's Security Domain with the private keys you supply.
86+
- Create a Security Domain Upload blob encrypted with the Security Domain Exchange Key we downloaded in the previous step
8587

86-
- Decrypt the source HSM's Security Domain with the private keys you supply.
87-
- Create a Security Domain Upload blob encrypted with the Security Domain Exchange Key we downloaded in the previous step and then
88-
- Upload the Security Domain Upload blob to the HSM to complete security domain recovery
88+
This step can be performed offline.
8989

90-
In the following example, we use the Security Domain from the **ContosoMHSM**, the 2 of the corresponding private keys, and upload it to **ContosoMHSM2**, which is waiting to receive a Security Domain.
90+
In the following example, we use the Security Domain from the **ContosoMHSM**, the 3 of the corresponding private keys, and the Security Domain Exchange Key to create and download an encrypted blob which we will use to upload to **ContosoMHSM2**, which is waiting to receive a Security Domain.
91+
92+
```azurecli-interactive
93+
az keyvault security-domain restore-blob --sd-exchange-key ContosoMHSM2-SDE.cer --sd-file ContosoMHSM-SD.json --sd-wrapping-keys cert_0.key cert_1.key cert_2.key --sd-file-restore-blob restore_blob.json
94+
```
95+
96+
## Upload Security Domain Upload blob to destination HSM
97+
98+
We now use the Security Domain Upload blob created in the previous step and upload it to the destination HSM to complete the security domain recovery. The `--restore-blob` flag is used to prevent exposing keys in an online environment.
9199

92100
```azurecli-interactive
93-
az keyvault security-domain upload --hsm-name ContosoMHSM2 --sd-exchange-key ContosoMHSM2-SDE.cer --sd-file ContosoMHSM-SD.json --sd-wrapping-keys cert_0.key cert_1.key
101+
az keyvault security-domain upload --hsm-name ContosoMHSM2 --sd-file restore_blob.json --restore-blob
94102
```
95103

96104
Now both the source HSM (ContosoMHSM) and the destination HSM (ContosoMHSM2) have the same security domain. We can now restore a full backup from the source HSM into the destination HSM.

0 commit comments

Comments
 (0)