Fortanix DSM Backup and Restore for AWS S3 Bucket - SGX

1.0 Introduction

This article describes the Fortanix-Data-Security-Manager (DSM) Amazon Web Services (AWS) S3 Bucket backup and restore procedures for a SGX machine.

2.0 Backing Up the Cluster Data

Perform the following tasks to create the storage accounts and S3 buckets for backing up the cluster data to AWS S3 Bucket:

2.1 Creating the S3 Bucket

Perform the following steps to create the S3 Bucket:

1. Sign into the AWS Management Console and open the Amazon S3 console.

2. Click the Create bucket button.

   

   

3. Perform the following steps to get your access key ID and secret access key:

   1. Open the IAM console at URL: https://console.aws.amazon.com/iam/

   2. On the navigation menu, click Users.

   3. Choose your preferred IAM username.

   4. Go to the Security Credentials tab → Create Access Key. To view the new access key, click the Show button.

      

3.0 Configuring Backup Using AWS S3 Bucket

This section describes the steps to configure backups using AWS S3 before or after creating a Fortanix Data Security Manager cluster.

Perform the following steps:

1. Edit the config.yaml file to add the following properties to enable backups in AWS S3 Bucket, which is your backup destination. For more information about the config.yaml file, refer to “Section 5.4: Configure Other Nodes for Joining the Cluster” in the Fortanix Data Security Manager Installation Guide - On-Prem:

   Refer to the following sample configuration to add new parameters bucket, region, access_key_id, and secret_access_key:

   backup:
     cron_schedule: "0 0 * * *"
     backup_mode: "snapshot" 
     exclude_auditlog: true
     aws:
       bucket: "containername"
       region: 
       access_key_id: 
       secret_access_key:

   NOTE

   • The value for backup_mode parameter can be either snapshot or cqlsh. However, it is recommended to set the value as snapshot.

   • By default, all the CRON jobs schedules are in the UTC time zone.

   For example:

   backup:
     cron_schedule: "0 0 * * *"
     backup_mode: "snapshot"
     exclude_auditlog: true
     aws:
       bucket: "dsm-backup-test-bucket"
       region: us-east-2
       access_key_id: 
       secret_access_key:

2. Run the following command to redeploy the cluster to apply changes to the config.yaml file:

   sdkms-cluster deploy --config config.yaml --stage DEPLOY

   After executing the deploy command, the DEPLOY pod starts or shows the status as RUNNING. Wait until the job is completed and the status changes to COMPLETED.

3. Run the following command to navigate to bin folder:

   cd /opt/fortanix/sdkms/bin

4. Run the following command to execute the run_sdkms_backup.sh script to perform the manual backup:

   ./run_sdkms_backup.sh

5. Run the following command to verify the status of the backup:

   kubectl logs -l job-name=sdkms-backup-manual

   

   NOTE

   Ensure that Cassandra and appropriate data and secrets are backed up to the AWS S3 Bucket as shown in the following image:

   

For steps to back up the audit log, refer to Fortanix DSM Backup for Audit Log.

4.0 Recovering the Data

For more information on data recovery procedure, refer to the Fortanix DSM Restoration Guide - Automated.