Migrate between HSM and Ranger DB

If required, you can migrate from HSM to Ranger DB or Ranger DB to HSM.

1. If running, stop the Ranger KMS server.
2. Go to the Ranger KMS directory: /usr/hdp/$version/ranger-kms.

   DB details must be correctly configured to which KMS needs migration to (located in the xml config file of Ranger KMS).

   For DB to HSM: HSM details must be the KMS HSM to which we are migrating.

3. Run:

   Option	Run	Example
   DB to HSM	./DBMK2HSM.sh $provider $HSM_PARTITION_NAME	./DBMK2HSM.sh LunaProvider par19
   HSM to DB	./HSMMK2DB.sh $provider $HSM_PARTITION_NAME	./HSMMK2DB.sh LunaProvider par19

4. Enter the partition password.
5. After the migration is completed: if you want to run Ranger KMS according to the new configuration (either with HSM enabled or disabled,) update the Ranger KMS properties if required.
6. Start Ranger KMS from Ambari.

	Warning
	Deleting the master key is a destructive operation. If the master key is lost, there is potential data loss, since data under encryption zones cannot be recovered. Therefore, it is a best practice to keep backups of the master key in DB as well as HSM.

• DB to HSM: When Ranger KMS is running with HSM enabled: from DB table “ranger_masterkey”, delete the Master Key row if it is not required as Master Key already being migrated to HSM.
• HSM to DB: When Ranger KMS is running with HSM disabled: from HSM, clear the Master Key object from the partition if it is not required as Master Key already being migrated to DB.