Restore Key Trustee Server from ktbackup.sh backups

After installing Key Trustee Server on a new host after a failure, or if you need to restore accidentally deleted keys on the same host, use the following procedure to restore Key Trustee Server from backups generated by the ktbackup.sh script.

  1. Decrypt the backup tarball using the private key of the GPG recipient specified in the backup command by running the following command as the GPG recipient user account. The GPG recipient private key must be available on the Key Trustee Server host on which you run this command.
    gpg -d -o /path/to/decrypted/backup.tar /path/to/encrypted/tarball
  2. Verify the decrypted tarball using the tar tvf /path/to/decrypted/backup.tar command. For example:
    $ tar tvf kts_bak_kts01_example_com_2016-02-10_11-14-37.tar
    drwx------ keytrustee/keytrustee 0 2016-02-09 16:43 var/lib/keytrustee/.keytrustee/
    -rw------- keytrustee/keytrustee 434 2016-02-09 16:43 var/lib/keytrustee/.keytrustee/keytrustee.conf
    -rw------- keytrustee/keytrustee 1280 2016-02-09 16:43 var/lib/keytrustee/.keytrustee/trustdb.gpg
    -rw------- keytrustee/keytrustee 4845 2016-02-09 16:43 var/lib/keytrustee/.keytrustee/secring.gpg
    -rw------- keytrustee/keytrustee  600 2016-02-09 16:43 var/lib/keytrustee/.keytrustee/random_seed
    drwx------ keytrustee/keytrustee    0 2016-02-09 16:40 var/lib/keytrustee/.keytrustee/.ssl/
    -rw------- keytrustee/keytrustee 1708 2016-02-09 16:40 var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-pk.pem
    -rw------- keytrustee/keytrustee 1277 2016-02-09 16:40 var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee.pem
    -rw------- keytrustee/keytrustee 2263 2016-02-09 16:43 var/lib/keytrustee/.keytrustee/pubring.gpg
    -rw-r--r-- keytrustee/keytrustee  457 2016-02-09 16:43 var/lib/keytrustee/.keytrustee/logging.conf
    -rw------- keytrustee/keytrustee 2263 2016-02-09 16:43 var/lib/keytrustee/.keytrustee/pubring.gpg~
    -rw------- keytrustee/keytrustee  157 2016-02-09 16:40 var/lib/keytrustee/.keytrustee/gpg.conf
    -rw-r--r-- keytrustee/keytrustee 47752 2016-02-10 11:14 var/lib/keytrustee/kts_bak_kts01_example_com_2016-02-10_11-14-37.sql
  3. Restore the files to their original locations, using this command for Key Trustee Server backups:
    tar xvf /path/to/decrypted/backup.tar -C /
  4. Drop and re-create the keytrustee PostgreSQL database, and restore the database from the backup.
    • For parcel-based installations:
      $ su - keytrustee
      $ source /opt/cloudera/parcels/KEYTRUSTEE_SERVER/meta/keytrustee_env.sh
      $ /opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/12.1/bin/psql -p 11381
      psql (12.1)
      Type "help" for help.
      
      keytrustee=# \list
                                           List of databases
          Name    |   Owner    | Encoding |   Collate   |    Ctype    |     Access privileges
      ------------+------------+----------+-------------+-------------+---------------------------
       keytrustee | keytrustee | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
       postgres   | keytrustee | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
       template0  | keytrustee | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/keytrustee            +
                  |            |          |             |             | keytrustee=CTc/keytrustee
       template1  | keytrustee | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/keytrustee            +
                  |            |          |             |             | keytrustee=CTc/keytrustee
      (4 rows)
      
      keytrustee=# \c postgres;
      You are now connected to database "postgres" as user "keytrustee".
      postgres=# drop database keytrustee;
      DROP DATABASE
      postgres=# create database keytrustee;
      CREATE DATABASE
      postgres=# \q
      $ sudo -u keytrustee /opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/12.1/bin/psql -p 11381 -f /var/lib/keytrustee/kts_bak_kts01_example_com_2016-02-10_11-14-37.sql
    • For package-based installations:
      $ su - keytrustee
      $ psql -p 11381
      psql (12.1)
      Type "help" for help.
      
      keytrustee=# \list
                                           List of databases
          Name    |   Owner    | Encoding |   Collate   |    Ctype    |     Access privileges
      ------------+------------+----------+-------------+-------------+---------------------------
       keytrustee | keytrustee | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
       postgres   | keytrustee | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
       template0  | keytrustee | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/keytrustee            +
                  |            |          |             |             | keytrustee=CTc/keytrustee
       template1  | keytrustee | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/keytrustee            +
                  |            |          |             |             | keytrustee=CTc/keytrustee
      (4 rows)
      
      keytrustee=# \c postgres;
      You are now connected to database "postgres" as user "keytrustee".
      postgres=# drop database keytrustee;
      DROP DATABASE
      postgres=# create database keytrustee;
      CREATE DATABASE
      postgres=# \q
      $ sudo -u keytrustee psql -p 11381 -f /var/lib/keytrustee/kts_bak_kts01_example_com_2016-02-10_11-14-37.sql
  5. Restart Key Trustee Server.
    • Using Cloudera Manager: Key Trustee Server service > Actions > Restart
    • Using the Command Line: Run the following command on the Key Trustee Server hosts:
      sudo service keytrusteed restart      #RHEL 6-compatible
      sudo systemctl restart keytrusteed    #RHEL 7-compatible