====== CA Backup/Restore ======
**Kritisch:** CA-Schlüssel sind das wertvollste Asset der PKI! \\
**RTO:** 4 Stunden | **RPO:** 24 Stunden
Verfahren zur Sicherung und Wiederherstellung von CA-Schlüsseln und -Zertifikaten.
----
===== Backup-Komponenten =====
| Komponente | Kritikalität | Backup-Frequenz |
|------------|--------------|-----------------|
| Root-CA Private Key | **Kritisch** | Einmalig + Offline |
| Intermediate Private Keys | **Hoch** | Nach jeder Änderung |
| CA-Zertifikate | Mittel | Täglich |
| CA-Datenbank (index.txt) | Mittel | Täglich |
| Konfiguration (openssl.cnf) | Niedrig | Bei Änderung |
| CRL-Signing Key | Hoch | Mit CA-Key |
----
===== Backup-Strategie =====
flowchart TB
subgraph LIVE["🖥️ PRODUKTIV"]
L1[CA-Server]
L2[HSM]
end
subgraph BACKUP["💾 BACKUP"]
B1[Verschlüsseltes Backup]
B2[HSM Backup Slot]
B3[Shamir Shares]
end
subgraph OFFLINE["🔒 OFFLINE"]
O1[Safe]
O2[Treuhänder]
O3[Off-Site]
end
L1 --> B1 --> O1
L2 --> B2 --> O3
L1 --> B3 --> O2
style L2 fill:#e8f5e9
style O1 fill:#e3f2fd
----
===== Backup-Verfahren =====
==== Software-Keys (ohne HSM) ====
#!/bin/bash
# ca-backup.sh - CA-Backup erstellen
BACKUP_DIR="/backup/pki/$(date +%Y%m%d)"
ENCRYPTION_KEY="/etc/pki/backup-key.pem" # RSA Public Key für Verschlüsselung
mkdir -p "$BACKUP_DIR"
# 1. Private Keys (verschlüsselt)
echo "Sichere Private Keys..."
for key in /etc/pki/CA/*.key; do
keyname=$(basename "$key" .key)
# Mit AES-256 verschlüsseln
openssl enc -aes-256-cbc -salt -pbkdf2 \
-in "$key" \
-out "$BACKUP_DIR/${keyname}.key.enc" \
-pass file:/etc/pki/backup-passphrase.txt
# Oder mit RSA Public Key (asymmetrisch)
openssl pkeyutl -encrypt \
-pubin -inkey "$ENCRYPTION_KEY" \
-in "$key" \
-out "$BACKUP_DIR/${keyname}.key.rsa-enc"
done
# 2. Zertifikate
echo "Sichere Zertifikate..."
cp /etc/pki/CA/*.pem "$BACKUP_DIR/"
# 3. CA-Datenbank
echo "Sichere CA-Datenbank..."
cp /etc/pki/CA/index.txt "$BACKUP_DIR/"
cp /etc/pki/CA/serial "$BACKUP_DIR/"
cp /etc/pki/CA/crlnumber "$BACKUP_DIR/"
# 4. Konfiguration
cp /etc/pki/CA/openssl.cnf "$BACKUP_DIR/"
# 5. Ausgestellte Zertifikate
tar czf "$BACKUP_DIR/issued-certs.tar.gz" /etc/pki/CA/newcerts/
# 6. Checksummen
cd "$BACKUP_DIR"
sha256sum * > SHA256SUMS
# 7. Gesamtarchiv (optional)
cd /backup/pki
tar czf "ca-backup-$(date +%Y%m%d).tar.gz" "$(date +%Y%m%d)/"
echo "Backup abgeschlossen: $BACKUP_DIR"
==== HSM-basierte Keys ====
#!/bin/bash
# hsm-backup.sh - HSM Key Backup
# Luna HSM
/usr/safenet/lunaclient/bin/lunacm << EOF
partition backup
partition name = ca-partition
backup file = /backup/hsm/ca-partition-$(date +%Y%m%d).bak
EOF
# Thales HSM
nShield-cknfastrc backup --slotlist=0 --output=/backup/hsm/nshield-$(date +%Y%m%d).bak
# AWS CloudHSM
aws cloudhsmv2 create-cluster-backup --cluster-id
==== Shamir Secret Sharing ====
#!/bin/bash
# shamir-split.sh - Key auf Treuhänder verteilen
KEY_FILE="/etc/pki/CA/root-ca.key"
SHARES=5
THRESHOLD=3
# Mit ssss-split (Shamir's Secret Sharing Scheme)
cat "$KEY_FILE" | ssss-split -t $THRESHOLD -n $SHARES -w root-ca
# Ergebnis: 5 Dateien (root-ca-1 bis root-ca-5)
# Mindestens 3 werden zur Wiederherstellung benötigt
# An Treuhänder verteilen
echo "Verteile Shares an Treuhänder:"
echo " Share 1 → Treuhänder A"
echo " Share 2 → Treuhänder B"
echo " Share 3 → Treuhänder C"
echo " Share 4 → Off-Site Safe"
echo " Share 5 → HSM Escrow"
----
===== Restore-Verfahren =====
==== Software-Keys ====
#!/bin/bash
# ca-restore.sh - CA aus Backup wiederherstellen
BACKUP_FILE="$1"
RESTORE_DIR="/etc/pki/CA"
if [ -z "$BACKUP_FILE" ]; then
echo "Usage: $0 "
exit 1
fi
echo "=== CA RESTORE ==="
echo "Backup: $BACKUP_FILE"
read -p "Fortfahren? (yes/no): " confirm
[ "$confirm" != "yes" ] && exit 1
# 1. Aktuellen Zustand sichern
echo "Sichere aktuellen Zustand..."
mv "$RESTORE_DIR" "${RESTORE_DIR}.pre-restore-$(date +%Y%m%d%H%M%S)"
# 2. Backup entpacken
echo "Entpacke Backup..."
mkdir -p "$RESTORE_DIR"
tar xzf "$BACKUP_FILE" -C "$RESTORE_DIR" --strip-components=1
# 3. Private Keys entschlüsseln
echo "Entschlüssle Private Keys..."
for enc_key in "$RESTORE_DIR"/*.key.enc; do
keyname=$(basename "$enc_key" .key.enc)
openssl enc -aes-256-cbc -d -pbkdf2 \
-in "$enc_key" \
-out "$RESTORE_DIR/${keyname}.key" \
-pass file:/etc/pki/backup-passphrase.txt
rm "$enc_key"
done
# 4. Berechtigungen setzen
chmod 600 "$RESTORE_DIR"/*.key
chmod 644 "$RESTORE_DIR"/*.pem
chown -R root:root "$RESTORE_DIR"
# 5. Verifizieren
echo "Verifiziere Wiederherstellung..."
for key in "$RESTORE_DIR"/*.key; do
cert="${key%.key}.pem"
if [ -f "$cert" ]; then
key_mod=$(openssl rsa -in "$key" -noout -modulus 2>/dev/null | md5sum)
cert_mod=$(openssl x509 -in "$cert" -noout -modulus 2>/dev/null | md5sum)
if [ "$key_mod" = "$cert_mod" ]; then
echo "✓ $(basename "$key"): Key/Cert Match"
else
echo "✗ $(basename "$key"): MISMATCH!"
fi
fi
done
# 6. CA-Service starten
echo "Starte CA-Services..."
systemctl start pki-ca
systemctl start ocsp-responder
echo "=== RESTORE ABGESCHLOSSEN ==="
==== Shamir Shares kombinieren ====
#!/bin/bash
# shamir-combine.sh - Key aus Shares wiederherstellen
echo "Shamir Share Wiederherstellung"
echo "Mindestens 3 von 5 Shares benötigt"
# Shares einsammeln (von Treuhändern)
ssss-combine -t 3 > /tmp/restored-key.tmp << EOF
EOF
# Verifizieren
openssl rsa -in /tmp/restored-key.tmp -check -noout
if [ $? -eq 0 ]; then
echo "Key erfolgreich wiederhergestellt"
mv /tmp/restored-key.tmp /etc/pki/CA/root-ca.key
chmod 600 /etc/pki/CA/root-ca.key
else
echo "FEHLER: Key ungültig!"
rm /tmp/restored-key.tmp
fi
----
===== Backup-Verification =====
#!/bin/bash
# verify-backup.sh - Backup-Integrität prüfen
BACKUP_DIR="$1"
echo "=== Backup-Verification ==="
# Checksummen prüfen
cd "$BACKUP_DIR"
sha256sum -c SHA256SUMS
if [ $? -ne 0 ]; then
echo "FEHLER: Checksum-Mismatch!"
exit 1
fi
# Key/Cert-Paare prüfen
for enc_key in *.key.enc; do
keyname=$(basename "$enc_key" .key.enc)
cert="${keyname}.pem"
if [ ! -f "$cert" ]; then
echo "WARNUNG: Kein Zertifikat für $keyname"
continue
fi
# Entschlüsseln und prüfen (temporär)
openssl enc -aes-256-cbc -d -pbkdf2 \
-in "$enc_key" \
-out /tmp/verify.key \
-pass file:/etc/pki/backup-passphrase.txt
key_mod=$(openssl rsa -in /tmp/verify.key -noout -modulus 2>/dev/null | md5sum)
cert_mod=$(openssl x509 -in "$cert" -noout -modulus 2>/dev/null | md5sum)
if [ "$key_mod" = "$cert_mod" ]; then
echo "✓ $keyname: OK"
else
echo "✗ $keyname: MISMATCH!"
fi
rm /tmp/verify.key
done
echo "=== Verification abgeschlossen ==="
----
===== Backup-Schedule =====
| Komponente | Frequenz | Aufbewahrung | Medium |
|------------|----------|--------------|--------|
| CA-Datenbank | Täglich | 30 Tage | Disk → Tape |
| Intermediate Keys | Wöchentlich | 1 Jahr | Encrypted Disk |
| Root-CA Key | Einmalig | Permanent | Offline Safe |
| Konfiguration | Bei Änderung | 5 Versionen | Git |
----
===== Checkliste =====
| # | Prüfpunkt | ✓ |
|---|-----------|---|
| 1 | Backup-Script konfiguriert | ☐ |
| 2 | Encryption Key sicher gespeichert | ☐ |
| 3 | Shamir Shares verteilt | ☐ |
| 4 | Backup-Cron aktiv | ☐ |
| 5 | Off-Site Backup vorhanden | ☐ |
| 6 | Restore-Test erfolgreich | ☐ |
| 7 | Letzte Verification < 30 Tage | ☐ |
----
===== Verwandte Dokumentation =====
* [[.:key-ceremony|Key Ceremony]] – Sichere Schlüsselgenerierung
* [[.:notfall-revocation|Notfall-Revocation]] – Bei Kompromittierung
* [[de:int:pqcrypt:administrator:betrieb|Betrieb]] – Tägliche Wartung
----
<< [[.:start|← Disaster Recovery]] | [[.:key-ceremony|→ Key Ceremony]] >>
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//
{{tag>backup restore disaster-recovery ca operator}}