--- title: "Backup and Restore for CDK - Non-SGX" slug: "fortanix-dsm-backup-and-restore-for-cdk-non-sgx" updated: 2026-04-01T07:31:55Z published: 2025-08-22T11:49:28Z canonical: "support.fortanix.com/fortanix-dsm-backup-and-restore-for-cdk-non-sgx" --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Backup and Restore for CDK - Non-SGX ## 1.0 Introduction This article describes the steps to restore the Cluster Deployment Key (CDK) cluster with any type of the backup (Azure/AWS S3/SCP) configured in `config.yaml` file on a non-SGX machine. The backup and restore process remains the same as other Fortanix-Data-Security-Manager (DSM) hardware-based deployments. In CDK based non-SGX cluster, Cluster Master Key (CMK) is derived using a secret stored in an external Hardware Security Model (HSM) called as CDK. This external HSM could be a Fortanix DSM hardware appliance cluster, Fortanix DSM SaaS, or any 3rd party HSM that supports a PKCS#11 interface (including nShield, Luna, or AWS CloudHSM) and deployment key will auto generate during cluster creation. > [!NOTE] > NOTE > > - Deployment-key is required to restore the backup in case the cluster is being reset or re-created. Hence the deployment key must be backed-up in a safe location. Backup cannot be restored (will be rendered unusable) without this deployment key during the restoration process. > - Secret-ext-hsm credentials secret must be backed up in a safe location. > - The node that you are restoring must have been part of the active cluster at least once to inherit the Cluster Master Key (CMK). ## 2.0 Configuring Backup Using CDK Cluster This section illustrates the procedure to configure the Cluster Deployment Key (CDK) cluster. Perform the following steps: 1. Log in to the production or source cluster. 2. Run the following command to locate the deployment key and external HSM credentials secret: ```bash $ kubectl get secrets ``` 3. Run the following command to get the backup of `sdkms-deployment-key-store` secret and external HSM credentials secret: ```bash kubectl get secret secret-ext-hsm-credentials -oyaml > secret-ext-hsm-credentials.yaml kubectl get secret sdkms-deployment-key-store -oyaml > sdkms-deployment-key-store.yaml ``` 4. Save the `sdkms-deployment-key-store.yaml` and `secret-ext-hsm-credentials.yaml` files in a secure location. > [!NOTE] > NOTE > > Ensure to save it in different folder other than backup folder. 5. Run the following command to copy above secrets to the DR node/target node where restore operation to be performed: ```bash scp sdkms-deployment-key-store.yaml username@ip_address:home scp secret-ext-hsm-credentials.yaml username@ip_address:home ``` *For more information on how to**back up the audit log, refer to*[*Fortanix DSM Backup for Audit Log*](/v1/docs/fortanix-dsm-backup-for-audit-log)*.* ## 3.0 Recovering the Data *For more information on data recovery procedure, refer to*[*Fortanix DSM Restoration Guide - Automated*](/v1/docs/fortanix-dsm-restoration-guide-automated)*.* Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface. Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.