Fortanix DSM Backup and Restore for CDK

1.0 Introduction

This article describes the steps to restore the Cluster Deployment Key (CDK) cluster with any type of the backup (Azure/AWS S3/SCP) configured in config.yaml file on a non-SGX machine.

The backup and restore process remains the same as other Fortanix DSM hardware-based deployments. In CDK based non-SGX cluster, Cluster Master Key (CMK) is derived using a secret stored in an external Hardware Security Model (HSM) called as CDK. This external HSM could be a Fortanix DSM hardware appliance cluster, Fortanix DSM SaaS, or any 3rd party HSM that supports a PKCS#11 interface (including nShield, Luna, or AWS CloudHSM) and deployment key will auto generate during cluster creation.

NOTE
Deployment-key is required to restore the backup in case the cluster is being reset or re-created. Hence the deployment key must be backed-up in a safe location. Backup cannot be restored (will be rendered unusable) without this deployment key during the restoration process.
Secret-ext-hsm credentials secret must be backed up in a safe location.
The node that you are restoring must have been part of the active cluster at least once to inherit the Cluster Master Key (CMK).

2.0 Configuring Backup Using CDK Cluster

This section illustrates the procedure to configure the Cluster Deployment Key (CDK) cluster.

Perform the following steps:

Log in to the production or source cluster.
Run the following command to locate the deployment key and external HSM credentials secret:
```
$ kubectl get secrets
```

Run the following command to get the backup of sdkms-deployment-key-store secret and external HSM credentials secret:

kubectl get secret secret-ext-hsm-credentials -oyaml > secret-ext-hsm-credentials.yaml
kubectl get secret sdkms-deployment-key-store -oyaml > sdkms-deployment-key-store.yaml

Save the sdkms-deployment-key-store.yaml and secret-ext-hsm-credentials.yaml files in a secure location.
NOTE
Ensure to save it in different folder other than backup folder.

Run the following command to copy above secrets to the DR node/target node where restore operation to be performed:

scp sdkms-deployment-key-store.yaml username@ip_address:home
scp secret-ext-hsm-credentials.yaml username@ip_address:home

For steps to back up the audit log, refer to the Fortanix DSM Backup for Audit Log.

3.0 Recovering the Data

For a step-by-step procedure on data recovery, refer to the Fortanix DSM Restoration Guide - Automated.

Fortanix DSM Backup and Restore for CDK - Non-SGX

1.0 Introduction

2.0 Configuring Backup Using CDK Cluster

3.0 Recovering the Data

PLATFORM

Key Insight

Data Security Manager™

Confidential Computing Manager

Enclave Development Platform®

Request A demo

Contact Us

Free Trial

SOLUTIONS

AWS KMS External Key Store (XKS)

Google External Key Manager

Bring Your Own Key (BYOK)

HSM Modernization

Multicloud Key Management

Post Quantum Cryptography

Code Signing

Secrets Management

Tokenization Transparent

Database Encryption

Filesystem Encryption

Confidential Data Search

Confidential AI

Healthcare

Banking & Financial Services

Fintech

Manufacturing

Web 3.0

Federal Government

RESOURCES

Blog

Whitepapers

Datasheets

Solution Briefs

Ebooks

Reports

Case Studies

Webinars

University

Media Kit

Newsletters

COMPANY

About

Careerswe’re hiring

Customers

Partners

Awards

Events

Press

News

Services

Support

FAQ

4.6