Fortanix DSM Passwordless-Based Backup and Restore Using SCP - SGX

1.0 Introduction

This article describes the Fortanix Data Security Manager (DSM) passwordless SSH based backup and restore procedures for an SGX machine using SCP backup type.

2.0 Configuring Backup Using SCP

Perform the following steps to configure passwordless SSH based backup using SCP before or after creating a Fortanix DSM cluster on SGX machine.

Perform the following steps:

  1. Edit the config.yaml file to add the following properties to enable backups in SCP, which is your backup destination. To know more about the config.yaml file, refer to the Fortanix DSM Installation Guide, Section 5.4:
    backup:
    cron_schedule: "1 1 * * *"
    backup_mode: "snapshot"
    exclude_auditlog: true
    scp:
    server_ip: "10.198.0.67"
    username: "username"
    authmode: "privatekey"
    path: "/home/testuser/backup"
    NOTE
    By default, all the CRON jobs schedules are in the UTC time zone.
  2. Run the ssh-keygen command to generate a public and private key pair. The command creates two files which is stored in the .ssh directory by default. The two files are named id_rsa and id_rsa.pub. The first file (id_rsa) contains the private key, and the second file (id_rsa.pub) contains the public key.

  3. Run the following command to retrieve the private key from the generated id_rsa file:
    cat .ssh/id_rsa | base64 -w0

2.1 Setting or Patching a Kubernetes Secret

A secret is an object that contains a small amount of sensitive data, such as a password, a token, or a key. Such information might otherwise be stored in a Fortanix DSM node or in a container image. Using a Kubernetes secret means that no confidential data is included in the Fortanix DSM node.

A Kubernetes secret is set on a placeholder secret object that will be available as a file during installation on a volume in the cluster. This file is updated using the patch operation with the actual value.

Perform the following steps to set a Kubernetes secret:

  1. Create a configuration file named ssh-secret-patch.yaml that can be used while setting or patching a Kubernetes secret object. The configuration file should contain the following entries including the private key that has been generated in Section 2.0, Step1:
    apiVersion: v1
    data:
    ssh-privatekey: "PRIVATEKEY"
    kind: Secret
    metadata:
    name: secret-ssh-auth
    namespace: default
    type: kubernetes.io/ssh-auth
    NOTE
    The variable “PRIVATEKEY”, is replaced with the contents of the private key retrieved in Section 2.0, Step 3.
  2. Run the following command to patch the Kubernetes secret object:
    kubectl patch secret secret-ssh-auth --patch "$(cat ssh-secret-patch.yaml)"

From the Fortanix DSM version 4.16 and above, perform the following steps to configure password-less backup for private key based backup:

  1. Run the ssh-keygen command to create a new private and public key pair or use an existing one on the node where backups are configured.
  2. Run the following command and paste the private key when prompted:
    sdkms-cluster secret set secret-ssh-auth
  3. Run the following command to place the corresponding public key on the backup server in the home directory of the backup user:
    cd .ssh
    cat id_rsa.pub >> authorized_keys
    

2.2 Copying Public Key to SCP Servers

After the successful patching of the Kubernetes secret object, the public key should be copied to the authorized key list on the SCP servers.

Perform the following steps to copy the public key:

  1. Run the following command to copy the public key generated in Section 2.0, Step 2 to the tmp folder of the SCP server:
    scp .ssh/id_rsa.pub username@serverip:/tmp
  2. Run the ssh command to log in to the SCP server:
    ssh username@serverip
  3. After successfully logging in to the SCP server, if the .ssh directory does not already exist in the home directory, run the following command to create it:
    mkdir .ssh
  4. Run the following command to copy the id_rsa.pub file to a file named authorized_keys in the .ssh directory:
    cp /tmp/id_rsa.pub .ssh/authorized_keys

For steps to back up the audit log, refer to the Fortanix DSM Backup for Audit Log.

3.0 Recovering the Data

For a step-by-step procedure on data recovery, refer to the Fortanix DSM Restoration Guide - Automated.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful