Restore Key Trustee Server from ktbackup.sh backups
After installing Key Trustee Server on a new host after a failure, or if you need to restore accidentally deleted keys on the same host, use the following procedure to restore Key Trustee Server from backups generated by the ktbackup.sh script.
-
Decrypt the backup tarball using the private key of the GPG recipient specified
in the backup command by running the following command as the GPG recipient user
account. The GPG recipient private key must be available on the Key Trustee
Server host on which you run this command.
gpg -d -o /path/to/decrypted/backup.tar /path/to/encrypted/tarball
-
Verify the decrypted tarball using the
tar tvf /path/to/decrypted/backup.tar
command. For example:$ tar tvf kts_bak_kts01_example_com_2016-02-10_11-14-37.tar drwx------ keytrustee/keytrustee 0 2016-02-09 16:43 var/lib/keytrustee/.keytrustee/ -rw------- keytrustee/keytrustee 434 2016-02-09 16:43 var/lib/keytrustee/.keytrustee/keytrustee.conf -rw------- keytrustee/keytrustee 1280 2016-02-09 16:43 var/lib/keytrustee/.keytrustee/trustdb.gpg -rw------- keytrustee/keytrustee 4845 2016-02-09 16:43 var/lib/keytrustee/.keytrustee/secring.gpg -rw------- keytrustee/keytrustee 600 2016-02-09 16:43 var/lib/keytrustee/.keytrustee/random_seed drwx------ keytrustee/keytrustee 0 2016-02-09 16:40 var/lib/keytrustee/.keytrustee/.ssl/ -rw------- keytrustee/keytrustee 1708 2016-02-09 16:40 var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-pk.pem -rw------- keytrustee/keytrustee 1277 2016-02-09 16:40 var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee.pem -rw------- keytrustee/keytrustee 2263 2016-02-09 16:43 var/lib/keytrustee/.keytrustee/pubring.gpg -rw-r--r-- keytrustee/keytrustee 457 2016-02-09 16:43 var/lib/keytrustee/.keytrustee/logging.conf -rw------- keytrustee/keytrustee 2263 2016-02-09 16:43 var/lib/keytrustee/.keytrustee/pubring.gpg~ -rw------- keytrustee/keytrustee 157 2016-02-09 16:40 var/lib/keytrustee/.keytrustee/gpg.conf -rw-r--r-- keytrustee/keytrustee 47752 2016-02-10 11:14 var/lib/keytrustee/kts_bak_kts01_example_com_2016-02-10_11-14-37.sql
-
Restore the files to their original locations, using this command for Key
Trustee Server backups:
tar xvf /path/to/decrypted/backup.tar -C /
-
Drop and re-create the
keytrustee
PostgreSQL database, and restore the database from the backup.- For parcel-based installations:
$ su - keytrustee $ source /opt/cloudera/parcels/KEYTRUSTEE_SERVER/meta/keytrustee_env.sh $ /opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/12.1/bin/psql -p 11381 psql (12.1) Type "help" for help. keytrustee=# \list List of databases Name | Owner | Encoding | Collate | Ctype | Access privileges ------------+------------+----------+-------------+-------------+--------------------------- keytrustee | keytrustee | UTF8 | en_US.UTF-8 | en_US.UTF-8 | postgres | keytrustee | UTF8 | en_US.UTF-8 | en_US.UTF-8 | template0 | keytrustee | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/keytrustee + | | | | | keytrustee=CTc/keytrustee template1 | keytrustee | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/keytrustee + | | | | | keytrustee=CTc/keytrustee (4 rows) keytrustee=# \c postgres; You are now connected to database "postgres" as user "keytrustee". postgres=# drop database keytrustee; DROP DATABASE postgres=# create database keytrustee; CREATE DATABASE postgres=# \q $ sudo -u keytrustee /opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/12.1/bin/psql -p 11381 -f /var/lib/keytrustee/kts_bak_kts01_example_com_2016-02-10_11-14-37.sql
- For package-based installations:
$ su - keytrustee $ psql -p 11381 psql (12.1) Type "help" for help. keytrustee=# \list List of databases Name | Owner | Encoding | Collate | Ctype | Access privileges ------------+------------+----------+-------------+-------------+--------------------------- keytrustee | keytrustee | UTF8 | en_US.UTF-8 | en_US.UTF-8 | postgres | keytrustee | UTF8 | en_US.UTF-8 | en_US.UTF-8 | template0 | keytrustee | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/keytrustee + | | | | | keytrustee=CTc/keytrustee template1 | keytrustee | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/keytrustee + | | | | | keytrustee=CTc/keytrustee (4 rows) keytrustee=# \c postgres; You are now connected to database "postgres" as user "keytrustee". postgres=# drop database keytrustee; DROP DATABASE postgres=# create database keytrustee; CREATE DATABASE postgres=# \q $ sudo -u keytrustee psql -p 11381 -f /var/lib/keytrustee/kts_bak_kts01_example_com_2016-02-10_11-14-37.sql
- For parcel-based installations:
-
Restart Key Trustee Server.
- Using Cloudera Manager: Key Trustee Server service > Actions > Restart
- Using the Command Line: Run the following command on the Key
Trustee Server
hosts:
sudo service keytrusteed restart #RHEL 6-compatible sudo systemctl restart keytrusteed #RHEL 7-compatible
-