Fortanix DSM Passwordless-Based Backup and Restore Using SCP

1.0 Introduction

This article describes the Fortanix-Data-Security-Manager (DSM) passwordless SSH based backup and restore procedures for an SGX machine using SCP backup type.

2.0 Configuring Backup Using SCP

Perform the following steps to configure passwordless SSH based backup using SCP before or after creating a Fortanix DSM cluster on SGX machine.

Perform the following steps:

Edit the config.yaml file to add the following properties to enable backups in SCP, which is your backup destination. To know more about the config.yaml file, refer to the Fortanix DSM Installation Guide, Section 5.4:
```
backup:
   cron_schedule: "1 1 * * *"
   backup_mode: "snapshot"
   exclude_auditlog: true
   scp:
     server_ip: "10.198.0.67"
     username: "username"
     authmode: "privatekey"
     path: "/home/testuser/backup"
```
NOTE
By default, all the CRON jobs schedules are in the UTC time zone.
Run the ssh-keygen command to generate a public and private key pair. The command creates two files which is stored in the .ssh directory by default. The two files are named id_rsa and id_rsa.pub. The first file (id_rsa) contains the private key, and the second file (id_rsa.pub) contains the public key.
Run the following command to retrieve the private key from the generated id_rsa file:
```
cat .ssh/id_rsa | base64 -w0
```

2.1 Setting or Patching a Kubernetes Secret

A secret is an object that contains a small amount of sensitive data, such as a password, a token, or a key. Such information might otherwise be stored in a Fortanix DSM node or in a container image. Using a Kubernetes secret means that no confidential data is included in the Fortanix DSM node.

A Kubernetes secret is set on a placeholder secret object that will be available as a file during installation on a volume in the cluster. This file is updated using the patch operation with the actual value.

Perform the following steps to set a Kubernetes secret:

Create a configuration file named ssh-secret-patch.yaml that can be used while setting or patching a Kubernetes secret object. The configuration file should contain the following entries including the private key that has been generated in Section 2.0, Step1:
```
apiVersion: v1
data:
   ssh-privatekey: "PRIVATEKEY"
kind: Secret
metadata:
   name: secret-ssh-auth
   namespace: default
type: kubernetes.io/ssh-auth
```
NOTE
The variable “PRIVATEKEY”, is replaced with the contents of the private key retrieved in Section 2.0: Configuring Backup Using SCP, Step 3.

Run the following command to patch the Kubernetes secret object:

kubectl patch secret secret-ssh-auth --patch "$(cat ssh-secret-patch.yaml)"

From the Fortanix DSM version 4.16 and above, perform the following steps to configure password-less backup for private key based backup:

Run the ssh-keygen command to create a new private and public key pair or use an existing one on the node where backups are configured.
Run the following command and paste the actual private key id_rsa generated in Section 2.0: Configuring Backup Using SCP, Step 2 (including Begin and End certificate lines) when prompted:
```
sdkms-cluster secret set secret-ssh-auth
```
Run the following command to place the corresponding public key on the backup server in the home directory of the backup user:
```
cd .ssh
cat id_rsa.pub >> authorized_keys
```

2.2 Copying Public Key to SCP Servers

After the successful patching of the Kubernetes secret object, the public key should be copied to the authorized key list on the SCP servers.

Perform the following steps to copy the public key:

Run the following command to copy the public key generated in Section 2.0, Step 2 to the tmp folder of the SCP server:
```
scp .ssh/id_rsa.pub username@serverip:/tmp
```
Run the ssh command to log in to the SCP server:
```
ssh username@serverip
```
After successfully logging in to the SCP server, if the .ssh directory does not already exist in the home directory, run the following command to create it:
```
mkdir .ssh
```
Run the following command to copy the id_rsa.pub file to a file named authorized_keys in the .ssh directory:
```
cp /tmp/id_rsa.pub .ssh/authorized_keys
```

For steps to back up the audit log, refer to the Fortanix DSM Backup for Audit Log.

3.0 Recovering the Data

For a step-by-step procedure on data recovery, refer to the Fortanix DSM Restoration Guide - Automated.

Fortanix DSM Passwordless-Based Backup and Restore Using SCP - SGX

1.0 Introduction

2.0 Configuring Backup Using SCP

2.1 Setting or Patching a Kubernetes Secret

2.2 Copying Public Key to SCP Servers

3.0 Recovering the Data

PLATFORM

Key Insight

Data Security Manager™

Confidential Computing Manager

Enclave Development Platform®

Request A demo

Contact Us

Free Trial

SOLUTIONS

AWS KMS External Key Store (XKS)

Google External Key Manager

Bring Your Own Key (BYOK)

HSM Modernization

Multicloud Key Management

Post Quantum Cryptography

Code Signing

Secrets Management

Tokenization Transparent

Database Encryption

Filesystem Encryption

Confidential Data Search

Confidential AI

Healthcare

Banking & Financial Services

Fintech

Manufacturing

Web 3.0

Federal Government

RESOURCES

Blog

Whitepapers

Datasheets

Solution Briefs

Ebooks

Reports

Case Studies

Webinars

University

Media Kit

Newsletters

COMPANY

About

Careerswe’re hiring

Customers

Partners

Awards

Events

Press

News

Services

Support

FAQ

4.6