Backing Up and Restoring Key Trustee Server

Key Trustee Server high availability applies to read operations only. If either Key Trustee Server fails, the client automatically retries fetching keys from the functioning server. New write operations (for example, creating new encryption keys) are not allowed unless both Key Trustee Servers are operational.

If a Key Trustee Server fails catastrophically, you must restore it from backup to a new host with the same hostname and IP address as the failed host. Cloudera does not support PostgreSQL promotion to convert a passive Key Trustee Server to an active Key Trustee Server.

Cloudera strongly recommends regularly backing up Key Trustee Server databases and configuration files. Because these backups contain encryption keys and encrypted deposits, you must ensure that your backup repository is as secure as the Key Trustee Server itself.

You must also back up client configuration files and keys for Key Trustee Server clients such as the Key Trusteee KMS and Navigator Encrypt clients.

Backing Up Key Trustee Server

The procedure for backing up Key Trustee Server is the same for both parcel-based and package-based installations.

If you have deployed Cloudera Navigator Key Trustee Server High Availability, perform these steps on both the active and passive Key Trustee Servers. The following procedure references the default database port and location; if you modified these settings during installation, replace the database and port with your values.
  1. Back up the Key Trustee Server database:
    $ su - keytrustee
    $ pg_dump -c -p 11381 keytrustee | zip --encrypt keytrustee-db.zip -

    The --encrypt option prompts you to create a password used to encrypt the zip file. This password is required to decrypt the file.

    For parcel-based installations, you must set environment variables after switching to the keytrustee user:
    $ su - keytrustee
    $ export PATH=$PATH:/opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/9.3/bin
    $ export LD_LIBRARY_PATH=/opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/9.3/lib
    $ pg_dump -c -p 11381 keytrustee | zip --encrypt keytrustee-db.zip -
  2. Back up the Key Trustee Server configuration directory (/var/lib/keytrustee/.keytrustee):
    $ zip -r --encrypt keytrustee-conf.zip /var/lib/keytrustee/.keytrustee

    The --encrypt option prompts you to create a password used to encrypt the zip file. This password is required to decrypt the file.

  3. Move the backup files (keytrustee-db.zip and keytrustee-conf.zip) to a secure location.

Backing Up Key Trustee Server Clients

Cryptographic keys stored in Key Trustee Server are encrypted by clients before they are sent to Key Trustee Server. The primary clients for Key Trustee Server are Key Trustee KMS and Navigator Encrypt. Cloudera strongly recommends backing up regularly the configuration files and GPG keys for Key Trustee Server clients.

To prevent permanent data loss, regularly back up the following directories on each client that stores objects in Key Trustee Server:
Key Trustee Server Client Configuration Directories
Key Trustee Server Client Directories to Back Up
Key Trustee KMS /var/lib/kms-keytrustee
Navigator Encrypt /etc/navencrypt

Restoring Key Trustee Server

When restoring the Key Trustee Server database from backup, any keys or deposits created after the backup are lost.

The procedure to restore Key Trustee Server is different for parcel-based and package-based installations. For more information on parcels, see Parcels.

For Parcel-Based Installations

If you have deployed Cloudera Navigator Key Trustee Server High Availability, perform these steps on both the active and passive Key Trustee Servers. The following procedures assume the default database port and location; if you modified these settings during installation, replace the database and port with your custom values.

If the Key Trustee Server host has failed completely, remove the host from the cluster and add a new host using Cloudera Manager:
  1. Remove the failed host from the cluster. See Deleting Hosts for instructions.
  2. Add a new host with the same hostname and IP address as the failed host to the cluster. See Adding a Host to the Cluster for instructions.
  3. Install Key Trustee Server on the new host. See Installing Cloudera Navigator Key Trustee Server for instructions. Make sure to install the same Key Trustee Server version as the failed host.
After you have provisioned a new host and installed Key Trustee Server (or if you are restoring the database or configuration on the original host), restore the database and configuration directory:
  1. Copy or move the backup files (keytrustee-db.zip and keytrustee-conf.zip) to the Key Trustee Server host.
  2. Start the PostgreSQL server:
    $ sudo -u keytrustee ktadmin db --start --pg-rootdir /var/lib/keytrustee/db --background
  3. Restore the Key Trustee Server database:
    $ su - keytrustee
    $ export PATH=$PATH:/opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/9.3/bin
    $ export LD_LIBRARY_PATH=/opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/9.3/lib
    $ unzip -p /path/to/keytrustee-db.zip | psql -p 11381 -d keytrustee

    If the zip file is encrypted, you are prompted for the password to decrypt the file.

  4. Restore the Key Trustee Server configuration directory:
    $ su - keytrustee
    $ cd /var/lib/keytrustee
    $ unzip /path/to/keytrustee-conf.zip

    If the zip file is encrypted, you are prompted for the password to decrypt the file.

  5. Stop the PostgreSQL server:
    $ sudo -u keytrustee ktadmin db --stop --pg-rootdir /var/lib/keytrustee/db
  6. Start the Key Trustee Server service in Cloudera Manager (Key Trustee Server service > Actions > Start).
  7. Remove the backup files (keytrustee-db.zip and keytrustee-conf.zip) from the Key Trustee Server host.

For Package-Based Installations

If you have deployed Cloudera Navigator Key Trustee Server High Availability, perform these steps on both the active and passive Key Trustee Servers. The following procedures assume the default database port and location; if you modified these settings during installation, replace the database and port with your custom values.

If the Key Trustee Server host has failed completely, provision a new host with the same hostname and IP address as the failed host, and re-install Key Trustee Server. See Installing Cloudera Navigator Key Trustee Server for instructions.
After you have provisioned a new host and installed Key Trustee Server (or if you are restoring the database or configuration on the original host), restore the database and configuration directory:
  1. Copy or move the backup files (keytrustee-db.zip and keytrustee-conf.zip) to the Key Trustee Server host.
  2. Change the file ownership on the backup files to keytrustee:keytrustee:
    $ sudo chown keytrustee:keytrustee /path/to/keytrustee*.zip
  3. Restore the Key Trustee Server database:
    $ su - keytrustee
    $ unzip -p /path/to/keytrustee-db.zip | psql -p 11381 -d keytrustee

    If the zip file is encrypted, you are prompted for the password to decrypt the file.

  4. Restore the Key Trustee Server configuration directory:
    $ cd /var/lib/keytrustee
    $ unzip /path/to/keytrustee-conf.zip

    If the zip file is encrypted, you are prompted for the password to decrypt the file.

  5. Start the Key Trustee Server service:
    $ sudo service keytrusteed start
  6. Remove the backup files (keytrustee-db.zip and keytrustee-conf.zip) from the Key Trustee Server host.