Backing Up and Restoring Key Trustee Server
Key Trustee Server high availability applies to read operations only. If either Key Trustee Server fails, the client automatically retries fetching keys from the functioning server. New write operations (for example, creating new encryption keys) are not allowed unless both Key Trustee Servers are operational.
If a Key Trustee Server fails catastrophically, you must restore it from backup to a new host with the same hostname and IP address as the failed host. Cloudera does not support PostgreSQL promotion to convert a passive Key Trustee Server to an active Key Trustee Server.
Cloudera strongly recommends regularly backing up Key Trustee Server databases and configuration files. Because these backups contain encryption keys and encrypted deposits, you must ensure that your backup repository is as secure as the Key Trustee Server itself.
You must also back up client configuration files and keys for Key Trustee Server clients such as the Key Trusteee KMS and Navigator Encrypt clients.
Backing Up Key Trustee Server
The procedure for backing up Key Trustee Server is the same for both parcel-based and package-based installations.
- Back up the Key Trustee Server database:
$ su - keytrustee $ pg_dump -c -p 11381 keytrustee | zip --encrypt keytrustee-db.zip -
The --encrypt option prompts you to create a password used to encrypt the zip file. This password is required to decrypt the file.
For parcel-based installations, you must set environment variables after switching to the keytrustee user:$ su - keytrustee $ export PATH=$PATH:/opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/9.3/bin $ export LD_LIBRARY_PATH=/opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/9.3/lib $ pg_dump -c -p 11381 keytrustee | zip --encrypt keytrustee-db.zip -
- Back up the Key Trustee Server configuration directory (/var/lib/keytrustee/.keytrustee):
$ zip -r --encrypt keytrustee-conf.zip /var/lib/keytrustee/.keytrustee
The --encrypt option prompts you to create a password used to encrypt the zip file. This password is required to decrypt the file.
- Move the backup files (keytrustee-db.zip and keytrustee-conf.zip) to a secure location.
Backing Up Key Trustee Server Clients
Cryptographic keys stored in Key Trustee Server are encrypted by clients before they are sent to Key Trustee Server. The primary clients for Key Trustee Server are Key Trustee KMS and Navigator Encrypt. Cloudera strongly recommends backing up regularly the configuration files and GPG keys for Key Trustee Server clients.
Key Trustee Server Client | Directories to Back Up |
---|---|
Key Trustee KMS | /var/lib/kms-keytrustee |
Navigator Encrypt | /etc/navencrypt |
Restoring Key Trustee Server
When restoring the Key Trustee Server database from backup, any keys or deposits created after the backup are lost.
The procedure to restore Key Trustee Server is different for parcel-based and package-based installations. For more information on parcels, see Parcels.
For Parcel-Based Installations
If you have deployed Cloudera Navigator Key Trustee Server High Availability, perform these steps on both the active and passive Key Trustee Servers. The following procedures assume the default database port and location; if you modified these settings during installation, replace the database and port with your custom values.
- Remove the failed host from the cluster. See Deleting Hosts for instructions.
- Add a new host with the same hostname and IP address as the failed host to the cluster. See Adding a Host to the Cluster for instructions.
- Install Key Trustee Server on the new host. See Installing Cloudera Navigator Key Trustee Server for instructions. Make sure to install the same Key Trustee Server version as the failed host.
- Copy or move the backup files (keytrustee-db.zip and keytrustee-conf.zip) to the Key Trustee Server host.
- Start the PostgreSQL server:
$ sudo -u keytrustee ktadmin db --start --pg-rootdir /var/lib/keytrustee/db --background
- Restore the Key Trustee Server database:
$ su - keytrustee $ export PATH=$PATH:/opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/9.3/bin $ export LD_LIBRARY_PATH=/opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/9.3/lib $ unzip -p /path/to/keytrustee-db.zip | psql -p 11381 -d keytrustee
If the zip file is encrypted, you are prompted for the password to decrypt the file.
- Restore the Key Trustee Server configuration directory:
$ su - keytrustee $ cd /var/lib/keytrustee $ unzip /path/to/keytrustee-conf.zip
If the zip file is encrypted, you are prompted for the password to decrypt the file.
- Stop the PostgreSQL server:
$ sudo -u keytrustee ktadmin db --stop --pg-rootdir /var/lib/keytrustee/db
- Start the Key Trustee Server service in Cloudera Manager ( ).
- Remove the backup files (keytrustee-db.zip and keytrustee-conf.zip) from the Key Trustee Server host.
For Package-Based Installations
If you have deployed Cloudera Navigator Key Trustee Server High Availability, perform these steps on both the active and passive Key Trustee Servers. The following procedures assume the default database port and location; if you modified these settings during installation, replace the database and port with your custom values.
- Copy or move the backup files (keytrustee-db.zip and keytrustee-conf.zip) to the Key Trustee Server host.
- Change the file ownership on the backup files to keytrustee:keytrustee:
$ sudo chown keytrustee:keytrustee /path/to/keytrustee*.zip
- Restore the Key Trustee Server database:
$ su - keytrustee $ unzip -p /path/to/keytrustee-db.zip | psql -p 11381 -d keytrustee
If the zip file is encrypted, you are prompted for the password to decrypt the file.
- Restore the Key Trustee Server configuration directory:
$ cd /var/lib/keytrustee $ unzip /path/to/keytrustee-conf.zip
If the zip file is encrypted, you are prompted for the password to decrypt the file.
- Start the Key Trustee Server service:
$ sudo service keytrusteed start
- Remove the backup files (keytrustee-db.zip and keytrustee-conf.zip) from the Key Trustee Server host.