Fortanix DSM Passwordless-Based Backup and Restore Using SCP - SGX

  • Updated on Oct 24, 2025
  • Published on Jun 20, 2024
  • 4 minute(s) read
Prev Next

1.0 Introduction

This article describes the Fortanix-Data-Security-Manager (DSM) passwordless SSH based backup and restore procedures for an SGX machine using SCP backup type.

2.0 Configuring Backup Using SCP

Perform the following steps to configure passwordless SSH based backup using SCP before or after creating a Fortanix DSM cluster on SGX machine.

Perform the following steps:

  1. Edit the config.yaml file to add the following properties to enable backups in SCP, which is your backup destination. For more information about the config.yaml file, refer to “Section 5.4: Configure Other Nodes for Joining the Cluster” in the Fortanix Data Security Manager Installation Guide - On-Prem:

    backup:
   cron_schedule: "1 1 * * *"
   backup_mode: "snapshot"
   exclude_auditlog: true
   scp:
     server_ip: "10.198.0.67"
     username: "username"
     authmode: "privatekey"
     path: "/home/testuser/backup"

    NOTE

    By default, all the CRON jobs schedules are in the UTC time zone.

  2. Run the ssh-keygen command to generate a public and private key pair. By default, this command creates two files in the .ssh directory:

    • id_rsa (or id_ed25519) – contains the private key

    • id_rsa.pub (or id_ed25519.pub) – contains the public key

    Figure 1: Generate a Public and Private Key pair

    NOTE

    When generating the SSH key, you will be prompted for the following inputs. Press <Enter> at each prompt to accept the default values and skip setting a passphrase:

    Enter file in which to save the key (/home/administrator/.ssh/id_ed25519):<Enter>
Enter passphrase (empty for no passphrase):<Enter>
Enter same passphrase again:<Enter>

  3. Run the following command to retrieve the private key from the generated id_rsa file:

    cat .ssh/id_rsa | base64 -w0

2.1 Setting or Patching a Kubernetes Secret

A secret is an object that contains a small amount of sensitive data, such as a password, a token, or a key. Such information might otherwise be stored in a Fortanix DSM node or in a container image. Using a Kubernetes secret means that no confidential data is included in the Fortanix DSM node.

A Kubernetes secret is set on a placeholder secret object that will be available as a file during installation on a volume in the cluster. This file is updated using the patch operation with the actual value.

Perform the following steps to set a Kubernetes secret:

  1. Create a configuration file named ssh-secret-patch.yaml that can be used while setting or patching a Kubernetes secret object. The configuration file should contain the following entries including the private key that has been generated in Section 2.0, Step1:

    apiVersion: v1
data:
   ssh-privatekey: "PRIVATEKEY"
kind: Secret
metadata:
   name: secret-ssh-auth
   namespace: default
type: kubernetes.io/ssh-auth

    NOTE

    The variable “PRIVATEKEY”, is replaced with the contents of the private key retrieved in Section 2.0: Configuring Backup Using SCP, Step 3.

  2. Run the following command to patch the Kubernetes secret object:

    kubectl patch secret secret-ssh-auth --patch "$(cat ssh-secret-patch.yaml)"

From the Fortanix DSM version 4.16 and above, perform the following steps to configure password-less backup for private key based backup:

  1. Run the ssh-keygen command to create a new private and public key pair or use an existing one on the node where backups are configured.

  2. Run the following command and paste the actual private key id_rsa generated in Section 2.0: Configuring Backup Using SCP, Step 2 (including Begin and End certificate lines) when prompted:

    sdkms-cluster secret set secret-ssh-auth

  3. Run the following command to place the corresponding public key on the backup server in the home directory of the backup user:

    cd .ssh
cat id_rsa.pub >> authorized_keys

2.2 Copying Public Key to SCP Servers

After the successful patching of the Kubernetes secret object, the public key should be copied to the authorized key list on the SCP servers.

Perform the following steps to copy the public key:

  1. Run the following command to copy the public key generated in Section 2.0: Configuring Backup Using SCP, Step 2 to the tmp folder of the SCP server:

    scp .ssh/id_rsa.pub username@serverip:/tmp

  2. Run the ssh command to log in to the SCP server:

    ssh username@serverip

  3. After successfully logging in to the SCP server, if the .ssh directory does not already exist in the home directory, run the following command to create it:

    mkdir .ssh

  4. Run the following command to copy the id_rsa.pub file to a file named authorized_keys in the .ssh directory:

    cp /tmp/id_rsa.pub .ssh/authorized_keys

For steps to back up the audit log, refer to Fortanix DSM Backup for Audit Log.

3.0 Recovering the Data

For a step-by-step procedure on data recovery, refer to Fortanix DSM Restoration Guide - Automated.

Related articles