Backing Up and Restoring the DSM

...................................
8

.....
A backup of the Data Security Manager (DSM) Server is a snapshot of a DSM configuration at a
point in time. When a backup is restored, the DSM Management Console will contain and
display the same information captured at the time the backup was originally made, any
changes made after the last backup will not be restored.
This chapter includes the following sections:
“Overview” on page 39
“Per Domain Backup and Restore” on page 40
“Backing Up the DSM Configuration” on page 40
“Restoring a DSM Backup” on page 46
“Automatic Backup” on page 48

Overview
.....................................................................
A DSM backup can be used to restore the hosts, encryption keys, policies, as well as other
configuration information of a DSM in the event of a software crash recovery or system
changes. A DSM Administrator of type System or All creates a system-level DSM backup, and a
DSM Administrator of type Domain, Domain and Security, or All creates a domain-level backup
via the Management Console.

Administrators of type Domain, Domain and Security, or All must be logged into the
domain that is to be backed up or restored to perform these operations.
An administrator of type All can also perform a domain backup and restore operation, as
long as that All administrator type is added to the domain.

System-level configuration such as network and timezone settings are not backed up—those
remain unchanged after a restore operation.
Each backup is encrypted with a wrapper key. A wrapper key must be created before the DSM
can be backed up. The same wrapper key is also required to restore the backup.
DSM backups can be restored at the system-level or at the domain-level.
• A system-level backup can only be restored to the same DSM or another DSM.

Vormetric Data Security Manager 5.3.1 Administrators Guide v2

 .....
Backing Up and Restoring the DSM 40
Per Domain Backup and Restore

• A domain-level backup can only be restored to a domain—the same domain, or another

domain on the same DSM, or a domain on another DSM.

Per Domain Backup and Restore

.....................................................................
In addition to a creating a backup of the DSM system configuration, you can also back up and
restore the configuration information of a single domain. A domain backup can be restored to:
• the same domain
• to a different domain on the same DSM

If a domain backup is restored to a different domain on the same DSM, there may be a
host name conflict, in which case the host names must be changed.

• to a different domain on another DSM

To create a backup of a domain and to restore that backup, a wrapper key must be created for
the domain, and the domain must have an assigned Domain Administrator. The backup and
restore operations are done by a Domain Administrator, Domain and Security Administrator, or
an administrator of type All from within the domain to be backed up or restored.

Backing Up the DSM Configuration

.....................................................................
A backup is a snapshot of a DSM configuration. When a backup is restored, the DSM
Management Console will contain and display the same information captured at the time the
backup was originally made.
You can create a backup of the DSM configuration at the system level or at the domain level. To
create a backup of a domain, you must be logged into that domain.

Differences between System-level and Domain-level Backups

The following table lists the differences between system-level and domain-level backups:
Table 4: System-level vs domain-level backups
System-level backup Domain-level backup
Administrators of type System or All create the backup. Administrators of type Domain or Domain and Security, or
All create the backup.

Vormetric Data Security Manager 5.3.1 Administrators Guide v2

 .....
Backing Up and Restoring the DSM 41
Backing Up the DSM Configuration

System-level backup Domain-level backup

Backs up the configuration information for the complete Backs up domain specific information including; web
DSM system including; web server certificate, certificates, server certificate, certificates, system preferences, log
system preferences, log preferences, users, domains, preferences, domains, hosts, encryption keys, signatures,
hosts, encryption keys, signatures, policies, GuardPoints, policies, GuardPoints, and license information.
and license information including all the configuration
information in all the domains.
DSM users can be backed up. Domain level users cannot be backed up, they will need to
be recreated or added back to the domain after a restore
operation.
GuardPoints and host-sharing information are backed up. GuardPoints and host-sharing information are not backed
up. Host sharing will be have to be re-established,
and GuardPoints recreated after the restore
operation.
The procedures to create a wrapper key, create a backup, and restore a backup are the same at
the domain level and at the system level.

Backup Encryption Wrapper Key

DSM backup files are encrypted with a wrapper key to keep them secure. This wrapper key
must be created, or imported from a previous create operation, before creating a backup. The
same wrapper key used to encrypt a backup is also required to restore that DSM backup.
For additional security, wrapper keys can be broken up into key shares—pieces of a wrapper
key. These key shares can then be divided amongst two or more custodians, such that each
custodian must contribute their key share in order to assemble a complete wrapper key. This is
also referred to as split key knowledge or M of N configuration.
For example you can break up the wrapper key amongst a total of five custodians and set the
minimum number of required custodians at two. When the wrapper key is required, at least
two of the custodians must contribute their key share in order to assemble a complete wrapper
key.
To backup system-level configuration, the wrapper key must be created at the system-level by a
DSM administrator of type System or All. To create a backup at the domain-level, a wrapper key
must be created from within the domain to be backed up by a DSM administrator of type
Domain, or Domain and Security, or All at the domain level.

Create a wrapper key

1. Log on to the Management Console as an administrator of type System Administrator or All.
Or if you are creating a wrapper key at the domain level
Log on or switch to a domain on the Management Console as an administrator of type Domain,
Domain and Security, or All.
2. Select System > Wrapper Keys from the menu bar.

Vormetric Data Security Manager 5.3.1 Administrators Guide v2

 .....
Backing Up and Restoring the DSM 42
Backing Up the DSM Configuration

3. In the Wrapper Keys window, select Create from the Operation menu, then click Apply to create
the wrapper key.
Figure 3: Wrapper Keys window

You will see a confirmation message stating that the key exists, see Figure 4 below.
Figure 4: Wrapper Keys selection confirmation

4. Select System > Backup and Restore > Manual Backup and Restore from the menu bar. A
confirmation message is also displayed on this tab, stating that the wrapper key exists. You can
now proceed with creating a backup.
5. Return to the System > Wrapper Keys menu option and select Export from the Operation menu
to export key shares.

Vormetric Data Security Manager 5.3.1 Administrators Guide v2

 .....
Backing Up and Restoring the DSM 43
Backing Up the DSM Configuration

Figure 5: Wrapper Keys window to select custodians for key shares

6. Set a number for both the Minimum Custodians Needed and the Total Number of Custodians.
This setting splits the wrapper key value among multiple custodians. If only a single
administrator is to control the wrapper key, enter a value of 1 in both fields.
7. Select the check box next to the DSM administrators who will serve as custodians for the
wrapper key shares. Administrators of type System Administrator and All are listed. Any of these
administrators, with the exception of the default initial log-on administrator admin, can be
selected as a custodian.
If more than one custodian has been selected, each of them is given a share of the wrapper key.
The wrapper key share is displayed on their Dashboard page when they log into the
Management Console, see Figure 6. Each administrator must see a unique wrapper key share
displayed on the dashboard beneath the fingerprint for the CA.
8. Click Apply on the bottom right hand corner.
The generated wrapper key or key shares are exported and is visible on the Dashboard, beneath
the fingerprint for the CA. The Wrapper Key Share displayed in the Dashboard window is a
toggle. Click Show to display the wrapper key share value. Click Wrapper Key Share value to
display the string Show.
9. Ask each administrator to securely store a copy of this key share. They must provide this as part
of their role in a DSM restore operation.

Vormetric Data Security Manager 5.3.1 Administrators Guide v2

 .....
Backing Up and Restoring the DSM 44
Backing Up the DSM Configuration

Figure 6: DSM Management Console Dashboard showing the wrapper key share toggle

A backup of the DSM configuration can be created after the wrapper key has been created. The
procedure to create a backup at the system level or at the domain level is the same.

System-level Backup

1. Log on to the Management Console as an administrator of type System Administrator or All.

2. Select the System > Backup and Restore menu option. The Manual Backup and Restore page
opens.
3. Click the Backup tab and then select Ok.

Vormetric Data Security Manager 5.3.1 Administrators Guide v2

 .....
Backing Up and Restoring the DSM 45
Backing Up the DSM Configuration

Figure 7: Manual Backup and Restore dialog with File Download dialog displayed

4. Click Save in the File Download dialog box. Save the file to a secure location that you are sure
will still be accessible if the server fails. By default, the file name will be in the format:
backup_config_<dsm server name>_yyyy_mm_dd_hhmm.tar
Where <dsm server name> is the FQDN of the DSM that is being backed up.
5. Save the backup to a secure location. Access to the backup should be limited to only a few
employees and should be audited.

Domain-level Backup

Create a backup of a global domain

1. Log on to the Management Console as an administrator of type Domain, Domain and Security or
All.
Or switch to the domain that you want to backup.
2. Select the System > Backup and Restore menu option. The Manual Backup and Restore page
opens.
3. Click the Backup tab and click Ok to start the backup.
4. Click Save in the File Download dialog box. Save the file to a secure location that you are sure
will still be accessible if the server fails. By default, the file name will be in the format:
backup_config_<domain name>_<dsm server name>_yyyy_mm_dd_hhmm.tar
Where <domain_name> is the name of the domain being backed up and <dsm server name>
is the FQDN of the DSM that is being backed up.
5. Save the backup to a secure location. Access to the backup should be limited to only a few
employees and should be audited.

Vormetric Data Security Manager 5.3.1 Administrators Guide v2

 .....
Backing Up and Restoring the DSM 46
Restoring a DSM Backup

Restoring a DSM Backup

.....................................................................
A backup of the DSM configuration can be used to restore the hosts, encryption keys, and
policies, as well as other configuration information of a DSM, after a software crash recovery or
system changes. A DSM backup can be restored at the system level or at the domain level.
The procedure to restore a domain-level backup is the same as the procedure to restore a
system-level backup. To restore a domain level backup, you must be logged into that domain.
The DSM backup is restored via the Management Console.
•

Restoring the DSM from a backup

The following procedures describe:

• how to do a system-level restore of a DSM from a backup for the virtual DSM and hardware
DSM appliances.
• how to do a domain-level restore of a DSM from a backup.
• how to restore a DSM V6100 hardware appliance backup image from another security world.

NOTE: Following a restore operation, the DSM configuration in the Management Console is
replaced by the configuration stored in the backup copy. Any new encryption keys, policies,
hosts, or GuardPoints added since the last backup will be overwritten and lost.

NOTE: Unless this is a disaster recovery scenario where all DSMs have been lost, always backup
the current configuration before running a restore operation.

System-level restore of a virtual DSM

1. Locate the backup that is to be restored
2. Log on to the Management Console as an administrator of type System Administrator or All.

NOTE: If you already have the proper Wrapper Key imported, skip to Step 8.

3. Import wrapper keys. Select System > Wrapper Keys from the menu bar.
4. Select Import from the Operation pull-down menu.
5. Click the Add button.

Vormetric Data Security Manager 5.3.1 Administrators Guide v2

 .....
Backing Up and Restoring the DSM 47
Restoring a DSM Backup

6. If key shares have created from the wrapper key, paste a Key Share value from one previously
stored with a custodian into the Key Share text field and click Ok.
Repeat steps 5 and 6 for each administrator selected as a key custodian if you have chosen to
have more than one custodian for the wrapper key. A key share must be imported for at least as
many as were specified by the Minimum Number of Custodians value when the wrapper key
was exported.
7. Click Apply to finish importing the wrapper key.
8. Restore the backup file. Select System > Backup and Restore from the menu bar.
9. Select the Restore tab.
10. Click Browse. Locate and select the backup file to restore.
11. If this is a disaster recovery, enable the Include User(s) check box.
12. Click the Ok button. The restored file uploads and the DSM disconnects from the Management
Console.
13. Log back on to the Management Console as an administrator of type Security or All. Verify that
the configuration is restored correctly.

Domain-level restore of a DSM

When restoring a domain-level backup, all host sharing and GuardPoints on shared hosts are
removed and users are not restored.
1. Locate the backup that is to be restored
2. Log on to the Management Console as an administrator of type Domain, Domain and Security, or
All.

NOTE: If you already have the proper Wrapper Key imported, skip to Step 8.

3. Import wrapper keys. Select System > Wrapper Keys from the menu bar.
4. Select Import from the Operation pull-down menu.
5. Click the Add button.
6. If key shares have created from the wrapper key, paste a Key Share value from one previously
stored with a custodian into the Key Share text field and click Ok.
Repeat steps 5 and 6 for each administrator selected as a key custodian if you have chosen to
have more than one custodian for the wrapper key. A key share must be imported for at least as
many as were specified by the Minimum Number of Custodians value when the wrapper key
was exported.
7. Click Apply to finish importing the wrapper key.
8. Restore the backup file. Select System > Backup and Restore from the menu bar.

Vormetric Data Security Manager 5.3.1 Administrators Guide v2

 .....
Backing Up and Restoring the DSM 48
Automatic Backup

9. Select the Restore tab.

10. Click Browse. Locate and select the backup file to restore.

In the case of a domain-level restore, you will not be able to restore users and this option
will not be available.

11. Click Ok.

Once the restore operation is complete, verify that the configuration is restored correctly.

Warning! Following a restore operation, the DSM configuration in the Management

Console is replaced by the configuration stored in the backup copy. Any new
encryption keys, policies, hosts, or GuardPoints added since the date/time of the
backup file being used for the restore operation, will be overwritten and lost. If there
is a reason to do a selective restore from backup, then the following procedure is
recommended:
1. Export the keys created since the date/time of the backup file being used for
restore operation. Refer to the section on exporting/importing keys in the chapter on
“Configuring Keys and Key Groups”.
2. Restore from the backup file (note that this operation will replace the current DSM
configuration).
3. Import the keys created in step 1.

Automatic Backup
.....................................................................
The DSM system configuration information can be scheduled to be automatically backed up on
a daily or weekly basis using the Automatic Backup feature.
Automatic backups can also be configured at the domain level. To schedule an automatic
backup at the domain level, you must be logged into the domain for which the backup is to be
scheduled.

NOTE: Automatic backup is not available for KMIP-enabled domains. If you upload a KMIP
license to a DSM, any domains created after installing the license are KMIP enabled, in such a
scenario, automatic backup is not available from within a domain (global or local. Existing
domains (created prior to uploading a KMIP license), will not be KMIP enabled and therefore
the same restriction for automatic backup does not apply.

Vormetric Data Security Manager 5.3.1 Administrators Guide v2

 .....
Backing Up and Restoring the DSM 49
Automatic Backup

In addition to scheduling a backup, there is also an option to run a scheduled backup

immediately and push the backup file to a configured external file server. To do this, you must
access a File Server (a UNIX or Windows host) that is network accessible by the DSM to store
the backup files.
The procedure to schedule an automatic backup is the same at the system level and at the
domain level.

Schedule an Automatic Backup

1. Select System > Backup and Restore > Automatic Backup in the Management Console, to open
the Automatic Backup page.
Figure 8: Automatic Backup Schedule for SCP

2. Enter the settings for the Automatic Backup Schedule and the External File Server where the
backup files will be stored.
Enter the following information in the Automatic Backup Schedule section:
a: Active Schedule: Choose either Daily or Weekly, the default is Weekly.
b: Time: Based on a 12-hour clock and the A.M./P.M. modifiers. Time is relative to the DSM
system clock.
c: Weekday: Select the day of the week on which to backup the DSM.
Enter the following information in the External File Server Settings section:
a. Active Settings: Select SCP or Windows Share. This configures the mode in which to copy the
generated backup file to the remote system. SSH must be configured on the destination
system to use the SCP mode. The selected mode—SCP or Windows—determines the
subsequent configuration parameters that must be entered

Vormetric Data Security Manager 5.3.1 Administrators Guide v2

 .....
Backing Up and Restoring the DSM 50
Automatic Backup

SCP
If you select SCP, enter the following information (all fields marked with a red asterisk are
required):
• This Server Security's Credential: Click to Export. Click this to download the DSM server's
public key. Copy the public key onto the destination system and into
~/user/.ssh/authorized_keys. The DSM's public key is required to use SCP to copy the backup
file to the external file server.
• Target Host: Enter the host name, IP address, or FQDN of the destination system. If the
destination system has a File System Agent, you do not have to use the same host name as
configured in the Hosts window. You can use any recognized means of addressing the
destination system, just as long as it is recognized on your network.
• Target Host Fingerprint: The fingerprint value displayed is the fingerprint of the DSM public
key that is currently on the destination system. The fingerprint is retrieved from the
destination system and displayed in the Automatic Backup page during a backup. You can
verify if the public key on the destination system is current by comparing the key in
~user/.ssh/authorized_keys on the destination system with the key generated by Click to
Export.
• Target Directory: Enter the full path of the directory in which to copy the backup file.
• User Name: Enter the name of the user to perform the copy operation. The name entered
must be a valid user on the destination system. Also, copy the public key into the
~/.ssh/authorized_keys file in the home directory of the user you specify in this text-entry box.
A password is not required for the SCP user because a public key is used to authenticate the
SCP user.

Windows Share
If you select Windows Share, enter the following information (all fields marked with a red
asterisk are required):
• Network Host: Host name, IP address, or FQDN of the destination system.
• Network Directory: The shared folder path to which to copy the backup file.
• User Name: The name of the user to perform the copy operation. The name entered must be
a valid user on the destination system.
• Password: The password for User Name. Sometimes a domain is required for user
authentication. To include the user domain, append the domain to the user name in the form
user @domain. For example, [email protected].
• Confirm Password: Re-enter the password for User Name.
Click Ok to save the configuration settings currently displayed on the Automatic Backup page,
changes to the settings are stored in cache until you click Ok.

Vormetric Data Security Manager 5.3.1 Administrators Guide v2

 .....
Backing Up and Restoring the DSM 51
Automatic Backup

Figure 9: Automatic Backup schedule for Windows Share

3. Click Ok to save the configuration settings or click Backup Now to immediately create a backup
using the current configuration. This is an easy way to the test network connection and login
credentials of the configuration settings you just made.
4. After a successful backup, look in the specified Target Directory on the Target Host to see the
backup files.
Example:
backup_config_myDSM.corp.com_v5.3.1.0_1716_yyyymmdd_hhmm.txt

Schedule an immediate backup

You can also schedule an immediate backup once you have made all your selections:
1. Click Backup Now to create a backup immediately using the current configuration.
This is an easy way to the test network connection and login credentials of the configuration
settings you just made.

Remove schedule and settings

Click Remove Schedule and Settings to clear all the fields in both the Daily and Weekly
configurations. For SCP mode backups, this means the public key is removed, and a new one
has to be generated. This new public key has to be copied to the destination system.
A new public key is automatically downloaded the next time you click Click to Export. If you
create a new key this way, you must also update the ~/.ssh/authorized_keys file on the
destination system because the SSH credentials have changed and will no longer be valid.

Vormetric Data Security Manager 5.3.1 Administrators Guide v2

 .....
Backing Up and Restoring the DSM 52
Automatic Backup

Vormetric Data Security Manager 5.3.1 Administrators Guide v2