---
title: "Restoration Guide - Automated"
slug: "fortanix-dsm-restoration-guide-automated"
updated: 2026-04-01T07:32:16Z
published: 2025-08-22T11:50:17Z
canonical: "support.fortanix.com/fortanix-dsm-restoration-guide-automated"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Restoration Guide - Automated

## 1.0 Introduction

This article describes the step-by-step procedure to restore the Fortanix-Data-Security-Manager (DSM) using automated method.

> [!NOTE]
> NOTE
> 
> The restoration method described in this guide is supported only for Fortanix DSM version 4.13 and above.

Fortanix DSM has the following cluster types:

- SGX cluster
- Non-SGX cluster
- Non-SGX CDK enabled cluster

The restoration script supports the following scenarios for backup restoration:

- Local backup (backup files available on local machine)
- Secure Copy Protocol (SCP) password based backup
- Secure Copy Protocol (SCP) passwordless based backup (private key)
- Amazon Web Services (AWS) S3 bucket backup
- Azure Blob Storage backup

### 1.1 Benefits

The following are the benefits of the Fortanix DSM restoration scripts:

- It supports multiple node cluster restore (for example, 1 node, 3 nodes, 5 nodes, and so on).
- The restoration process is completely automated.
- It supports restoring backups up to 100GB in size.
- The restoration script supports audit logs restoration backup.

## 2.0 Prerequisites

### 2.1 For Non-SGX Cluster

Perform the following step only if the Fortanix DSM is running on non-SGX machine:

1. Run following command to store the deployment key at a safe location before starting DSM restoration process:

```bash
kubectl get secret sdkms-deployment-key-store -oyaml > sdkms-deployment-key-store.yaml
```

### 2.2 For Non-SGX CDK Cluster

Perform the following steps only if the Fortanix DSM is running on non-SGX CDK enabled machine:

1. Run the following command to store the deployment key at a safe location before starting Fortanix DSM restoration process:

```bash
kubectl get secret sdkms-deployment-key-store -oyaml > sdkms-deployment-key-store.yaml
```
2. Run the following command to store the secret external HSM credential at a safe location:

```bash
kubectl get secret secret-ext-hsm-credentials -oyaml > secret-ext-hsm-credentials.yaml
```

## 3.0 Restoring the Data

Perform the following steps to restore the Fortanix DSM cluster on any machine:

1. Run the following command navigate to `/opt/fortanix/sdkms/bin/cluster-restore` folder in DSM CLI:

```bash
cd /opt/fortanix/sdkms/bin/cluster-restore
```
2. Run the following command to execute `generate_config.sh` script to generate the `restore_config.txt` file:

```bash
./generate_config.sh
```
3. After executing the `generate_config.sh` script, enter the valid inputs for the required parameters.

| **Parameter** | **Description** | **Sample Inputs** |
| --- | --- | --- |
| Backup Type | Type of backup. | The values can be either of the following: - Enter `1` to select the backup type as LOCAL. - Enter `2` to select the backup type as SCP. - Enter `3` to select the backup type as AWS. - Enter `4` to select the backup type as AZURE. |
| Backup Server IP | IP address of the backup server. | `10.10.10.10` |
| Backup Server Username | Username of the backup server. | `username` |
| Backup Server Path | Path of the backup folder. | `/home/administrator/backup` |
| Local directory path to copy the backup files from backup | Path of local machine where the backup files will be stored. > [!NOTE] > NOTE > > Before performing the restoration script, ensure to create backup folder under `/data` directory. | `/data/backup` |
| Auth Type | Type of authentication. | The values can be either of the following: - `PASSWORD` - `PRIVATE_KEY` |
| Private Key Path | Path of the `ssh` private key to connect to the backup server. Ensure that the private key has read permissions (`400`). | `/home/administrator/.ssh/id_rsa` |
| Backup Server Password | Password of the backup server. | `password` |
| Audit Logs only Restore or Data Restore | Determines the data that needs to be restored (data backup or audit logs backup). > [!NOTE] > NOTE > > Audit backup restore can only be performed after the data is restored. | This value can be either of the following: - `TRUE` - `FALSE` Set the value to `TRUE` to restore the audit logs only. Set the value to `FALSE` to restore the cluster data. |
| Backup Mode | Mode of the backup. The default backup mode is `snapshot`. | The values can be either of the following: - `cqlsh` - `snapshot` (preferred value) |
| Snapshot ID of Backup File | Snapshot ID of the backup file. This value can be obtained from name of the backup file. | `2023-01-03_16-36-00` |
| Deployment Key Store | Location where the deployment key is stored. Enter the same location as chosen in *Section 2.1*. | `/root/sdkms-deployment-key-store.yaml` |
| Secret-ext-hsm-credentails | Location where the secret external HSM credentials is stored. Enter the same location as chosen in *Section 2.2*. | `/root/secret-ext-hsm-credentials.yaml` |
| AWS Bucket Name | Provide name of the AWS S3 bucket. | `dsm-restore-test` |
| AWS Access Key | Key for accessing the AWS S3 bucket. | `Access_key` |
| AWS Secret key | Secret key for accessing the AWS S3 bucket. | `Secret_key` |
| Azure Container Name | Name of the Azure container. | `dsm-restore-test` |
| Azure Connection String | Azure container connection string. | `Container connection string` |

After all the parameters are passed, then a `restore_config.txt` file is generated.
4. Run the following command to start the restoration:

```bash
./dsm_restore.sh restore_config.txt
```

> [!NOTE]
> NOTE
> 
> If you encounter an "Invalid AWS details" error while executing the `dsm_restore.sh` script, perform the following steps to resolve it:
> 
> 1. Run the following command to navigate to the directory:
> 
> ```bash
> cd /opt/fortanix/sdkms/bin/cluster-restore
> ```
> 2. Run the following command to open the `restore_common_functions.sh` file using a text editor:
> 
> ```bash
> sudo nano restore_common_functions.sh
> ```
> 3. Update lines `383`, `386`, and `387 `by setting `AWS_DEFAULT_REGION="&lt;your S3 bucket region&gt;"`.
> 4. Save the file and exit the editor.
> 5. Re-run the `dsm_restore.sh `command.

After the cluster is restored successfully, perform the following steps to verify the health of the cluster:

1. Run the following command to verify the status of pods and nodes:

```bash
kubectl get nodes,pods -owide
```
2. Log in to the Fortanix DSM UI and verify the data.

> [!NOTE]
> NOTE
> 
> Ensure to remove `restore_config.txt` file before executing the new restoration steps.
3. Run the following command to remove the `restore_config.txt` file:

```bash
rm restore_config.txt
```

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

## Related

- [Fortanix DSM with Google Cloud EKM Interface Using Virtual Private Cloud](/fortanix-dsm-with-google-cloud-ekm-interface-using-virtual-private-cloud.md)
- [FAQs - Install/Upgrade/Administration](/fortanix-faqs-install-upgrade-administration.md)
- [Fortanix DSM with Google Cloud EKM Interface](/fortanix-dsm-with-google-cloud-ekm-interface.md)
- [Installation Guide - On-Premises](/fortanix-data-security-manager-installation-guide-on-prem.md)
- [Google Cloud Platform Keyring KMS Bring Your Own Key](/fortanix-dsm-google-cloud-kms.md)