--- title: "Passwordless-Based Backup and Restore Using SCP - SGX" slug: "fortanix-dsm-passwordless-based-backup-and-restore-using-scp-sgx" updated: 2026-04-01T07:31:03Z published: 2026-03-17T16:09:42Z canonical: "support.fortanix.com/fortanix-dsm-passwordless-based-backup-and-restore-using-scp-sgx" --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Passwordless-Based Backup and Restore Using SCP - SGX ## 1.0 Introduction This article describes the Fortanix-Data-Security-Manager (DSM) passwordless SSH based backup and restore procedures for an SGX machine using SCP backup type. ## 2.0 Configuring Backup Using SCP Perform the following steps to configure passwordless SSH based backup using SCP before or after creating a Fortanix DSM cluster on SGX machine. Perform the following steps: 1. Edit the `config.yaml` file to add the following properties to enable backups in SCP, which is your backup destination. *For more information about the*`config.yaml`*file, refer to “Section 5.4: Configure Other Nodes for Joining the Cluster” in the*[*Fortanix Data Security Manager Installation Guide - On-Prem*](https://support.fortanix.com/docs/fortanix-data-security-manager-installation-guide-on-prem#54-configure-other-nodes-for-joining-the-cluster): ```bash backup:   cron_schedule: "1 1 * * *"   backup_mode: "snapshot"   exclude_auditlog: true   scp:     server_ip: "10.198.0.67"     username: "username"     authmode: "privatekey"     path: "/home/testuser/backup" ``` > [!NOTE] > NOTE > > By default, all the CRON jobs schedules are in the UTC time zone. 2. Run the `ssh-keygen` command to generate a public and private key pair. By default, this command creates two files in the `.ssh` directory: ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Passwordless backup using SCP.PNG) **Figure 1: Generate a Public and Private Key pair** > [!NOTE] > NOTE > > When generating the SSH key, you will be prompted for the following inputs. Press `<Enter>` at each prompt to accept the default values and skip setting a passphrase: > > ```bash > Enter file in which to save the key (/home/administrator/.ssh/id_ed25519): > Enter passphrase (empty for no passphrase): > Enter same passphrase again: > ``` - `id_rsa` (or `id_ed25519`) – contains the private key - `id_rsa.pub` (or `id_ed25519.pub`) – contains the public key 3. Run the following command to retrieve the private key from the generated `id_rsa` file: ```bash cat .ssh/id_rsa | base64 -w0 ``` ### 2.1 Setting or Patching a Kubernetes Secret A secret is an object that contains a small amount of sensitive data, such as a password, a token, or a key. Such information might otherwise be stored in a Fortanix DSM node or in a container image. Using a Kubernetes secret means that no confidential data is included in the Fortanix DSM node. A Kubernetes secret is set on a placeholder secret object that will be available as a file during installation on a volume in the cluster. This file is updated using the patch operation with the actual value. Perform the following steps to set a Kubernetes secret: 1. Create a configuration file named `ssh-secret-patch.yaml` that can be used while setting or patching a Kubernetes secret object. The configuration file should contain the following entries including the private key that has been generated in *Section 2.0, Step1:* ```bash apiVersion: v1 data:   ssh-privatekey: "PRIVATEKEY" kind: Secret metadata:   name: secret-ssh-auth   namespace: default type: kubernetes.io/ssh-auth ``` > [!NOTE] > NOTE > > The variable `“PRIVATEKEY”`, is replaced with the contents of the private key retrieved in [*Section 2.0: Configuring Backup Using SCP*](/v1/docs/fortanix-dsm-passwordless-based-backup-and-restore-using-scp-sgx#20-configuring-backup-using-scp)*, Step 3*. 2. Run the following command to patch the Kubernetes secret object: ```bash kubectl patch secret secret-ssh-auth --patch "$(cat ssh-secret-patch.yaml)" ``` From the Fortanix DSM version 4.16 and above, perform the following steps to configure password-less backup for private key based backup: 1. Run the `ssh-keygen` command to create a new private and public key pair or use an existing one on the node where backups are configured. 2. Run the following command and paste the actual private key `id_rsa` generated in [*Section 2.0: Configuring Backup Using SCP*](/v1/docs/fortanix-dsm-passwordless-based-backup-and-restore-using-scp-sgx#20-configuring-backup-using-scp), *Step 2* (including Begin and End certificate lines) when prompted: ```bash sdkms-cluster secret set secret-ssh-auth ``` 3. Run the following command to place the corresponding public key on the backup server in the home directory of the backup user: ```bash cd .ssh cat id_rsa.pub >> authorized_keys ``` ### 2.2 Copying Public Key to SCP Servers After the successful patching of the Kubernetes secret object, the public key should be copied to the authorized key list on the SCP servers. Perform the following steps to copy the public key: 1. Run the following command to copy the public key generated in [*Section 2.0: Configuring Backup Using SCP*](/v1/docs/fortanix-dsm-passwordless-based-backup-and-restore-using-scp-sgx#20-configuring-backup-using-scp)*, Step 2* to the `tmp` folder of the SCP server: ```bash scp .ssh/id_rsa.pub username@serverip:/tmp ``` 2. Run the `ssh` command to log in to the SCP server: ```bash ssh username@serverip ``` 3. After successfully logging in to the SCP server, if the `.ssh` directory does not already exist in the home directory, run the following command to create it: ```bash mkdir .ssh ``` 4. Run the following command to copy the `id_rsa.pub` file to a file named `authorized_keys` in the `.ssh` directory: ```bash cp /tmp/id_rsa.pub .ssh/authorized_keys ``` *For steps to back up the audit log, refer to*[*Fortanix DSM Backup for Audit Log*](/v1/docs/fortanix-dsm-backup-for-audit-log)*.* *For steps to disable the backup configuration, refer to*[*Disable Backup Configuration*](/v1/docs/introduction-to-fortanix-dsm-backup-and-restore#60-disable-backup-configuration)*.* ## 3.0 Recovering the Data *For a step-by-step procedure on data recovery, refer to*[*Fortanix DSM Restoration Guide - Automated*](/v1/docs/fortanix-dsm-restoration-guide-automated)*.* Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface. Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface. ## Related - [Restoration Guide - Automated](/fortanix-dsm-restoration-guide-automated.md) - [Introduction to Fortanix DSM Backup and Restore](/introduction-to-fortanix-dsm-backup-and-restore.md) - [Fortanix DSM with CyberArk Enterprise Password Vault](/fortanix-dsm-with-cyberark-enterprise-password-vault.md) - [Password-Based Backup and Restore Using SCP - SGX](/fortanix-dsm-password-based-backup-and-restore-using-scp-sgx.md)