Fortanix DSM Restoration Guide - Automated

1.0 Introduction

This article describes the step-by-step procedure to restore the Fortanix-Data-Security-Manager (DSM) using automated method.

Fortanix DSM has the following cluster types:

• SGX cluster

• Non-SGX cluster

• Non-SGX CDK enabled cluster

The restoration script supports the following scenarios for backup restoration: 

• Local backup (backup files available on local machine)

• Secure Copy Protocol (SCP) password based backup

• Secure Copy Protocol (SCP) passwordless based backup (private key)

• Amazon Web Services (AWS) S3 bucket backup

• Azure Blob Storage backup

1.1 Benefits

The following are the benefits of the Fortanix DSM restoration scripts:

• It supports multiple node cluster restore (for example, 1 node, 3 nodes, 5 nodes, and so on).

• The restoration process is completely automated.

• It supports restoring backups up to 100GB in size.

• The restoration script supports audit logs restoration backup.

2.0 Prerequisites

2.1 For Non-SGX Cluster

Perform the following step only if the Fortanix DSM is running on non-SGX machine:

1. Run following command to store the deployment key at a safe location before starting DSM restoration process:

   kubectl get secret sdkms-deployment-key-store -oyaml > sdkms-deployment-key-store.yaml

2.2 For Non-SGX CDK Cluster

Perform the following steps only if the Fortanix DSM is running on non-SGX CDK enabled machine:

1. Run the following command to store the deployment key at a safe location before starting Fortanix DSM restoration process:

   kubectl get secret sdkms-deployment-key-store -oyaml > sdkms-deployment-key-store.yaml

2. Run the following command to store the secret external HSM credential at a safe location:

   kubectl get secret secret-ext-hsm-credentials -oyaml > secret-ext-hsm-credentials.yaml

3.0 Restoring the Data

Perform the following steps to restore the Fortanix DSM cluster on any machine:

1. Run the following command navigate to /opt/fortanix/sdkms/bin/cluster-restore folder in DSM CLI:

   cd /opt/fortanix/sdkms/bin/cluster-restore

2. Run the following command to execute generate_config.sh script to generate the restore_config.txt file:

   ./generate_config.sh

3. After executing the generate_config.sh script, enter the valid inputs for the required parameters.

   Parameter	Description	Sample Inputs
   Backup Type	Type of backup.	The values can be either of the following: Enter 1 to select the backup type as LOCAL. Enter 2 to select the backup type as SCP. Enter 3 to select the backup type as AWS. Enter 4 to select the backup type as AZURE.
   Backup Server IP	IP address of the backup server.	10.10.10.10
   Backup Server Username	Username of the backup server.	username
   Backup Server Path	Path of the backup folder.	/home/administrator/backup
   Local directory path to copy the backup files from backup	Path of local machine where the backup files will be stored. NOTE Before performing the restoration script, ensure to create backup folder under /data directory.	/data/backup
   Auth Type	Type of authentication.	The values can be either of the following: PASSWORD PRIVATE_KEY
   Private Key Path	Path of the ssh private key to connect to the backup server. Ensure that the private key has read permissions (400).	/home/administrator/.ssh/id_rsa
   Backup Server Password	Password of the backup server.	password
   Audit Logs only Restore or Data Restore	Determines the data that needs to be restored (data backup or audit logs backup). NOTE Audit backup restore can only be performed after the data is restored.	This value can be either of the following: TRUE FALSE Set the value to TRUE to restore the audit logs only. Set the value to FALSE to restore the cluster data.
   Backup Mode	Mode of the backup. The default backup mode is snapshot.	The values can be either of the following: cqlsh snapshot (preferred value)
   Snapshot ID of Backup File	Snapshot ID of the backup file. This value can be obtained from name of the backup file.	2023-01-03_16-36-00
   Deployment Key Store	Location where the deployment key is stored. Enter the same location as chosen in Section 2.1.	/root/sdkms-deployment-key-store.yaml
   Secret-ext-hsm-credentails	Location where the secret external HSM credentials is stored. Enter the same location as chosen in Section 2.2.	/root/secret-ext-hsm-credentials.yaml
   AWS Bucket Name	Provide name of the AWS S3 bucket.	dsm-restore-test
   AWS Access Key	Key for accessing the AWS S3 bucket.	Access_key
   AWS Secret key	Secret key for accessing the AWS S3 bucket.	Secret_key
   Azure Container Name	Name of the Azure container.	dsm-restore-test
   Azure Connection String	Azure container connection string.	Container connection string

   After all the parameters are passed, then a restore_config.txt file is generated.

4. Run the following command to start the restoration:

   ./dsm_restore.sh restore_config.txt

NOTE

If you encounter an "Invalid AWS details" error while executing the dsm_restore.sh script, perform the following steps to resolve it:

1. Run the following command to navigate to the directory:

   cd /opt/fortanix/sdkms/bin/cluster-restore

2. Run the following command to open the restore_common_functions.sh file using a text editor:

   sudo nano restore_common_functions.sh

3. Update lines 383, 386, and 387 by setting AWS_DEFAULT_REGION="<your S3 bucket region>".

4. Save the file and exit the editor.

5. Re-run the dsm_restore.sh command.

After the cluster is restored successfully, perform the following steps to verify the health of the cluster:

1. Run the following command to verify the status of pods and nodes:

   kubectl get nodes,pods -owide

2. Log in to the Fortanix DSM UI and verify the data.

   NOTE

   Ensure to remove restore_config.txt file before executing the new restoration steps.

3. Run the following command to remove the restore_config.txt file:

   rm restore_config.txt