Migrate between HSM and Ranger DB
If required, you can migrate from HSM to Ranger DB or Ranger DB to HSM.
- If running, stop the Ranger KMS server.
Go to the Ranger KMS directory:
DB details must be correctly configured to which KMS needs migration to (located in the xml config file of Ranger KMS).
For DB to HSM: HSM details must be the KMS HSM to which we are migrating.
Option Run Example DB to HSM
./DBMK2HSM.sh $provider $HSM_PARTITION_NAME
./DBMK2HSM.sh LunaProvider par19
HSM to DB
./HSMMK2DB.sh $provider $HSM_PARTITION_NAME
./HSMMK2DB.sh LunaProvider par19
- Enter the partition password.
- After the migration is completed: if you want to run Ranger KMS according to the new configuration (either with HSM enabled or disabled,) update the Ranger KMS properties if required.
- Start Ranger KMS from Ambari.
Deleting the master key is a destructive operation. If the master key is lost, there is potential data loss, since data under encryption zones cannot be recovered. Therefore, it is a best practice to keep backups of the master key in DB as well as HSM.
- DB to HSM: When Ranger KMS is running with HSM enabled: from DB table “ranger_masterkey”, delete the Master Key row if it is not required as Master Key already being migrated to HSM.
- HSM to DB: When Ranger KMS is running with HSM disabled: from HSM, clear the Master Key object from the partition if it is not required as Master Key already being migrated to DB.