1.0 Introduction
This document describes the step-by-step procedure to restore the Fortanix-Data-Security-Manager (DSM) using automated method.
NOTE
The restoration method described in this guide is supported only for Fortanix DSM version 4.13 and above.
Fortanix DSM has the following cluster types:
SGX cluster
Non-SGX cluster
Non-SGX CDK enabled cluster
The restoration script supports the following scenarios for backup restoration:
Local backup (backup files available on local machine)
Secure Copy Protocol (SCP) password based backup
Secure Copy Protocol (SCP) passwordless based backup (private key)
Amazon Web Services (AWS) S3 bucket backup
Azure Blob Storage backup
1.1 Benefits
The following are the benefits of the Fortanix DSM restoration scripts:
It supports multiple node cluster restore (for example, 1 node, 3 nodes, 5 nodes, and so on).
The restoration process is completely automated.
It supports restoring backups up to 100GB in size.
The restoration script supports audit logs restoration backup.
2.0 Prerequisites
2.1 For Non-SGX Cluster
Perform the following step only if the Fortanix DSM is running on non-SGX machine:
Run following command to store the deployment key at a safe location before starting DSM restoration process:
kubectl get secret sdkms-deployment-key-store -oyaml > sdkms-deployment-key-store.yaml
2.2 For Non-SGX CDK Cluster
Perform the following steps only if the Fortanix DSM is running on non-SGX CDK enabled machine:
Run the following command to store the deployment key at a safe location before starting Fortanix DSM restoration process:
kubectl get secret sdkms-deployment-key-store -oyaml > sdkms-deployment-key-store.yamlRun the following command to store the secret external HSM credential at a safe location:
kubectl get secret secret-ext-hsm-credentials -oyaml > secret-ext-hsm-credentials.yaml
3.0 Restoring the Data
Perform the following steps to restore the Fortanix DSM cluster on any machine:
Run the following command navigate to
/opt/fortanix/sdkms/bin/cluster-restorefolder in DSM CLI:cd /opt/fortanix/sdkms/bin/cluster-restoreRun the following command to execute
generate_config.shscript to generate therestore_config.txtfile:./generate_config.shAfter executing the
generate_config.shscript, enter the valid inputs for the required parameters.Parameter
Description
Sample Inputs
Backup Type
Type of backup.
The values can be either of the following:
Enter
1to select the backup type as LOCAL.Enter
2to select the backup type as SCP.Enter
3to select the backup type as AWS.Enter
4to select the backup type as AZURE.
Backup Server IP
IP address of the backup server.
10.10.10.10Backup Server Username
Username of the backup server.
usernameBackup Server Path
Path of the backup folder.
/home/administrator/backupLocal directory path to copy the backup files from backup
Path of local machine where the backup files will be stored.
NOTE
Before performing the restoration script, ensure to create backup folder under
/datadirectory./data/backupAuth Type
Type of authentication.
The values can be either of the following:
PASSWORDPRIVATE_KEY
Private Key Path
Path of the
sshprivate key to connect to the backup server.Ensure that the private key has read permissions (
400)./home/administrator/.ssh/id_rsaBackup Server Password
Password of the backup server.
passwordAudit Logs only Restore or Data Restore
Determines the data that needs to be restored (data backup or audit logs backup).
NOTE
Audit backup restore can only be performed after the data is restored.
This value can be either of the following:
TRUEFALSE
Set the value to
TRUEto restore the audit logs only.Set the value to
FALSEto restore the cluster data.Backup Mode
Mode of the backup.
The default backup mode is
snapshot.The values can be either of the following:
cqlshsnapshot(preferred value)
Snapshot ID of Backup File
Snapshot ID of the backup file. This value can be obtained from name of the backup file.
2023-01-03_16-36-00Deployment Key Store
Location where the deployment key is stored.
Enter the same location as chosen in Section 2.1.
/root/sdkms-deployment-key-store.yamlSecret-ext-hsm-credentails
Location where the secret external HSM credentials is stored.
Enter the same location as chosen in Section 2.2.
/root/secret-ext-hsm-credentials.yamlAWS Bucket Name
Provide name of the AWS S3 bucket.
dsm-restore-testAWS Access Key
Key for accessing the AWS S3 bucket.
Access_keyAWS Secret key
Secret key for accessing the AWS S3 bucket.
Secret_keyAzure Container Name
Name of the Azure container.
dsm-restore-testAzure Connection String
Azure container connection string.
Container connection stringAfter all the parameters are passed, then a
restore_config.txtfile is generated.Run the following command to start the restoration:
./dsm_restore.sh restore_config.txt
NOTE
If you encounter an "Invalid AWS details" error while executing the
dsm_restore.shscript, perform the following steps to resolve it:
Run the following command to navigate to the directory:
cd /opt/fortanix/sdkms/bin/cluster-restoreRun the following command to open the
restore_common_functions.shfile using a text editor:
sudo nano restore_common_functions.shUpdate lines
383,386, and387by settingAWS_DEFAULT_REGION="<your S3 bucket region>".Save the file and exit the editor.
Re-run the
dsm_restore.shcommand.
After the cluster is restored successfully, perform the following steps to verify the health of the cluster:
Run the following command to verify the status of pods and nodes:
kubectl get nodes,pods -owideLog in to the Fortanix DSM UI and verify the data.
NOTE
Ensure to remove
restore_config.txtfile before executing the new restoration steps.
Run the following command to remove the restore_config.txt file:
rm restore_config.txt