Backup and Restore
It is the responsibility of the Appliance Administrator to manage Safeguard for Privileged Passwords backups.
As a best practice, store backups on an archive server that is external from the appliance so that the backup image is available for restoration even if there is a catastrophic disk or hardware failure. Keep only a minimum number of backup files on the appliance. After you download or archive the Safeguard Backup Files (.sgb), use Delete to remove them. You can set the maximum number of backup files you want Safeguard for Privileged Passwords to retain on the appliance in Backup and Retention.
For maximum backup protection, Appliance Administrators can configure the cluster wide GPG public key or password encryption. Either will protect all subsequent backups generated from each appliance in the cluster. GPG protection will apply when downloaded or archived. Password protection will apply when generated. For details, see:
Go to Backup and Restore:
- web client: Navigate to Backup and Retention > Backup and Restore.
The Backup and Restore page lists this information for the backups that are currently in the database.
Table 21: Backup and Restore: Properties
Date |
The date of the backup |
Progress |
The status of the backup: Running or Complete |
File Size (MB) |
The size of the backup file in megabytes |
Appliance Name |
The name of the appliance |
Appliance Version |
The version of the SPP Appliance |
Protection Type |
Hover over an icon to view the type of protection:
- (default) Standard protection: No password or GPG key is required.
- GPG public key protection: A private key is required to upload the backup to be restored.
- Password protection: A password is required to restore the backup.
|
User |
The name of the user that created the backup |
Last Archived Date |
The date the selected backup ran |
Archive Server Name |
The name of the server on which the backup was archived |
File Name |
The Safeguard backup file name which is an .sgb file. |
Use these toolbar buttons to manage SPP backups.
Table 22: Backup and Restore: Toolbar
Run Now |
Create a backup copy of the data that is currently on the appliance. For more information, see Run Now.. |
Remove |
Remove the selected backup file from the Backups page and the SPP database. The backup is immediately removed. |
Download |
Save the selected backup file in a location on your appliance. For more information, see Download a backup.. |
Download VM Compatible |
Use this option to download a VM compatible backup, which can then be uploaded and restored on a SPP virtual machine. In order to download a VM compatible backup it must have been created with password or GPG public key protection settings. To enable the option to download a VM compatible backup of a hardware appliance, see Authorize VM Compatible Backups.
IMPORTANT: You cannot upload a backup to hardware that has been downloaded from hardware as VM compatible. |
Upload |
Retrieve a backup file from a file location and add it to the Backups page list. For more information, see Upload a backup.. |
Restore |
For the selected backup file, overwrite the current data and restore SPP to the selected backup. For more information, see Restore a backup.. |
Archive |
Store the selected backup file on an external archive server. For more information, see Archive backup.. |
Settings |
|
Refresh |
Update the list of backup files on the Backups page. |
Run Now
You can click Run Now to manually trigger and create a new backup. If password or GNU Privacy Guard (GPG) encryption is set for appliance or on the primary appliance for cluster-wide encryption, those encryption settings are enforced when you select Run Now.
If you have selected Send to archive server, the backup will be sent to the archive server. For more information, see Backup settings..
|
Caution: If you restore a backup that is older than the Maximum Password Age set in the Local Login Control settings, all user accounts (including the bootstrap administrator) will be locked out and you will have to reset all of the user account passwords. To avoid this situation, you can reset the Maximum Password Age to zero before you perform the backup, then reset it after the restore. |
TIP: As a best practice, perform backups more frequently than the Maximum Password Age setting.
|
Caution: SPP can not restore any access request workflow events in process at the time of a backup. |
|
CAUTION: When restoring a backup that was created with a Hardware Security Module integration in place, the encryption key used at the time of the backup creation needs to still be present and accessible by the SPP appliance. If not, the appliance will not be able to verify the Hardware Security Module configuration used to encrypt the data in the backup. You will be allowed to continue with the restore, however the SPP appliance will most likely Quarantine in the process, so this is not recommended. |
Download a backup
SPP allows you to save a selected backup file in a location on your computer. SPP copies the selected backup file; it does not remove the backup from the list displayed on the Backup and Restore page. An Appliance Backup Downloaded event is generated and sent to the audit log when a backup is downloaded from the appliance. The event will note if the backup was downloaded as VM compatible. To remove a file from the list display, select the file and click Remove.
To download the backup file
- Go to Backup and Restore:
- web client: Navigate to Backup and Retention > Backup and Restore.
-
Select a backup file:
-
Download: Use this option to save the selected backup file in a location on your appliance.
-
Download VM Compatible: Use this option to download a VM compatible backup, which can then be uploaded and restored on a Safeguard virtual machine. In order to download a VM compatible backup it must have been created with password or GPG public key protection settings. This is only available on hardware appliances once Authorize VM Compatible Backups has been requested and approved.
IMPORTANT: You cannot upload a backup to hardware that has been downloaded from hardware as VM compatible.
-
The .sgb file is downloaded to the browser's Download folder as defined in the browser settings. The file has a name similar to the following which includes the date: 946d66a4fecb4359a8b01fab75519d80_Safeguard_Backup_20200617-165625.sgb
NOTE: There is no difference in the downloaded backup filename for regular download versus VM Compatible download.
Upload a backup
SPP allows you to retrieve a Safeguard Backup File (.sgb) from a file location and add it to the SPP Backup and Restore page list for the appliance. For more information, see Restore a backup..
An Appliance Backup Uploaded event is generated and stored in the audit log when a backup is successfully uploaded to the appliance. An Appliance Backup Upload Failed event is generated and stored in the audit log when a backup upload fails on the appliance.
Backups generated and downloaded from a virtual machine can only be uploaded to a virtual machine. Backups generated and downloaded on hardware appliances can only be uploaded to a hardware appliance. Backups generated and downloaded as VM compatible on hardware appliances can only be uploaded to virtual machines.
To upload a backup file
IMPORTANT: Once you start uploading a backup, do not leave or refresh the page. Doing so will cause the browser to lose track of the upload and you will have to restart the process.
- If a GPG public key was used to encrypt the backup, the private key holder must decrypt the Safeguard Backup File (.sgb) before it can be uploaded to SPP. For more information, see Backup protection settings..
- To upload Safeguard Backup File (.sgb), go to Backup and Restore:
- web client: Navigate to Backup and Retention > Backup and Restore.
- Click Upload.
- Browse to select the backup file and click Open. The Uploading backup file progress bar displays. When complete, the file is uploaded and is now available to be restored. For more information, see Restore a backup..