We are moving from an old IDM tree to a new tree and are trying to
figure out if there is any way to back up/restore the Challenge Response

I know we cannot sync it with IDM. I assume it is encrypted with the
SDI keys.

Jim Willeke has a great tool that shows data about the UP/Simple/NDS
password state and if allowed by policy (Password Policy. Allow Admin to
retrieve passwords) the current UP value.

Wondering if there is a similar approach/tool for Challenge/Response.
Is it even possible?

I guess if we could get a tool to decode secrets encrypted with SDI? I
concede the existance of such a tool would be a security hole, once you
gain physical access to a DIBset...