Back up Key Trustee Server using the ktbackup.sh script
Key Trustee Server releases 5.7 and higher include a script, ktbackup.sh, to simplify and automate backing up Key Trustee Server.
When run on a Key Trustee Server host, the script creates a tarball containing the Key Trustee Server private GPG keys and the PostgreSQL database.
To preserve the security of the backup, you must specify a GPG recipient. Because this recipient is the only entity that can decrypt the backup, the recipient must be someone authorized to access the Key Trustee Server database, such as a key administrator.
Creating and Importing a GPG Key for Encrypting and Decrypting Backups
If the key administrator responsible for backing up and restoring Key Trustee Server
does not already have a GPG key pair, they can create one using the
--gen-key command. The following example demonstrates this
[john.doe@backup-host ~]$ gpg --gen-key gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: John Doe Email address: email@example.com Comment: Key Trustee Backup You selected this USER-ID: "John Doe (Key Trustee Backup) <firstname.lastname@example.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. can't connect to `/home/john.doe/.gnupg/S.gpg-agent': No such file or directory gpg-agent: directory `/home/john.doe/.gnupg/private-keys-v1.d' created We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /home/john.doe/.gnupg/trustdb.gpg: trustdb created gpg: key 0936CB67 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/0936CB67 2016-02-10 Key fingerprint = CE57 FDED 3AFE E67D 2041 9EBF E64B 7D00 0936 CB67 uid John Doe (Key Trustee Backup) <email@example.com> sub 2048R/52A6FC5C 2016-02-10
After the GPG key pair is generated, you can export the public key:
[john.doe@backup-host ~]$ gpg --armor --output /path/to/johndoe.pub --export 'John Doe'
Copy the public key (
johndoe.pub in this example) to the Key Trustee
Server host or Ranger KMS host, and import it into the service account keyring
keytrustee for Key Trustee Server and
- On the Key Trustee Server
sudo -u keytrustee gpg --import /path/to/johndoe.pub
- On the Ranger KMS host:
sudo -u kms gpg --import /path/to/johndoe.pub
Running the ktbackup.sh Script
You must run
ktbackup.sh as the service account. The location of the
script depends on the service and installation method. See the following table for
the script location and default service account for package- and parcel-based
installations for Key Trustee Server.
|Service||Service Account||Parcel-Based Installation||Package-Based Installation|
|Key Trustee Server||
The following table lists the command options for
||Specifies the Key Trustee configuration directory. Defaults to
||Specifies the Key Trustee Server database port. Defaults to
||Specifies the GPG recipient. The backup is encrypted with the public key of the specified recipient. The GPG recipient public key must be imported into the service account keyring before running the script.|
||Outputs an unencrypted tarball. To preserve the security of the cryptographic keys, do not use this option in production environments.|
||Specifies the output directory for the tarball. Defaults to
||Deletes backups older than the last n backups
from the directory specified by the
||Suppresses console log messages and, if successful, returns only the backup tarball file path. This is useful for automating backups.|
||Outputs additional log messages to the console for debugging.|
The following examples demonstrate the command usage for different scenarios:
- To back up a parcel-based Key Trustee Server, specifying the GPG recipient by
$ sudo -u keytrustee /opt/cloudera/parcels/KEYTRUSTEE_SERVER/bin/ktbackup.sh --gpg-recipient='John Doe'
- To back up a package-based Key Trustee Server with the database running on a
non-default port (12345 in this
$ sudo -u keytrustee ktbackup.sh --database-port=12345 --firstname.lastname@example.org
Automating Backups Using cron
You can schedule automatic backups of Key Trustee Server using the
cron scheduling utility.
crontab entry using the following commands:
- Edit the
crontabby running the following command:
sudo -u keytrustee crontab -e
- Add the following entry to run the backup script every 30 minutes. This example
is for a parcel-based installation of Key Trustee Server. See the
Backup Script Locationstable for the package-based script location.
*/30 * * * * /opt/cloudera/parcels/KEYTRUSTEE_SERVER/bin/ktbackup.sh --gpg-recipient='John Doe' --quiet --output=/tmp/backups --roll=10
man 5 crontabto see the
crontabman page for details on using
cronto schedule backups at different intervals.