Back up Key Trustee Server manually

If you do not wish to back up KTS using Cloudera Manager or the backup script, you can use this procedure for both parcel-based and package-based installations.

The following procedure references the default database port and location; if you modified these settings during installation, replace the database and port with your values.
  1. Back up the Key Trustee Server database:
    • For Key Trustee Server 3.8:
      su - postgres
      pg_dump -c -p 5432 keytrustee | zip --encrypt keytrustee-db.zip -
    • For Key Trustee Server 5.4 and higher:
      su - keytrustee
      pg_dump -c -p 11381 keytrustee | zip --encrypt keytrustee-db.zip -

    The --encrypt option prompts you to create a password used to encrypt the zip file. This password is required to decrypt the file.

    For parcel-based installations, you must set environment variables after switching to the keytrustee user:
    su - keytrustee
    export PATH=$PATH:/opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/<postgres-version>/bin
    export LD_LIBRARY_PATH=/opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/<postgres-version>/lib
    pg_dump -c -p 11381 keytrustee | zip --encrypt keytrustee-db.zip -
  2. Back up the Key Trustee Server configuration directory (/var/lib/keytrustee/.keytrustee): zip -r --encrypt keytrustee-conf.zip /var/lib/keytrustee/.keytrustee

    The --encrypt option prompts you to create a password used to encrypt the zip file. This password is required to decrypt the file.

  3. Move the backup files (keytrustee-db.zip and keytrustee-conf.zip) to a secure location.