Back up Key Trustee Server manually

If you do not wish to back up KTS using Cloudera Manager or the backup script, you can use this procedure for both parcel-based and package-based installations.

The following procedure references the default database port and location; if you modified these settings during installation, replace the database and port with your values.

Back up the Key Trustee Server database:
- For Key Trustee Server 3.8:
```
su - postgres
pg_dump -c -p 5432 keytrustee | zip --encrypt keytrustee-db.zip -
```
- For Key Trustee Server 5.4 and higher:
```
su - keytrustee
pg_dump -c -p 11381 keytrustee | zip --encrypt keytrustee-db.zip -
```
The --encrypt option prompts you to create a password used to encrypt the zip file. This password is required to decrypt the file.
For parcel-based installations, you must set environment variables after switching to the keytrustee user:
```
su - keytrustee
export PATH=$PATH:/opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/<postgres-version>/bin
export LD_LIBRARY_PATH=/opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/<postgres-version>/lib
pg_dump -c -p 11381 keytrustee | zip --encrypt keytrustee-db.zip -
```
note
KTS and corresponding PostgreSQL versions:

KTS 7.x - 7.1.8: PostgreSQL 12.1

KTS 7.1.9: PostgreSQL 14.2
Back up the Key Trustee Server configuration directory (/var/lib/keytrustee/.keytrustee): zip -r --encrypt keytrustee-conf.zip /var/lib/keytrustee/.keytrustee

The --encrypt option prompts you to create a password used to encrypt the zip file. This password is required to decrypt the file.
Move the backup files (keytrustee-db.zip and keytrustee-conf.zip) to a secure location.