Test runs with Germany’s first-generation electronic health cards and doctors’ “health professional cards” have suffered a serious setback. After the failure of a hardware security module HSM holding the private keys for the root Certificate Authority root CA for the first-generation cards, it emerged that the data had not been backed up. Consequently, if additional new cards are required for field testing, all of the cards previously produced for the tests will have to be replaced, because a new root CA will have to be generated.
Backups? We don’t need no steenkeen’ backups! I can understand running with scissors in a test environment. Things are in flux at times, you’re making changes to the running configs trying different scenarious. But come on: not making backups of your key infrastructure when you’ve gotten to the test and QA phases? This stuff should have already been sorted out at this stage. Makes me wonder what other architectural issues there would have been with this setup once it went into full production. I’d love to see what their disaster recovery/business continuity plan was.
I’m led to believe that all HSMs have non-volatile memory and other fail-safe areas where keys can be stored, even if there is a HD failure, though the process of having the entire restoration and re-issuance/re-validation of the keys is quite cumbersome and long. I think they were using an nCipher HSM no?
I have no idea. But from the article, it sounds like they didn’t even configure backups on the service in question at all. Having not used one of these devices before, I don’t know what capabilities they have to recover keys and configurations in a catastrophic hardware failure. I could foresee a case where the hardware was so crippled that the fail-safes were useless.