Backup and Restore
It is the responsibility of the Appliance Administrator to manage Safeguard for Privileged Passwords backups.
As a best practice, store backups on an archive server that is external from the appliance so that the backup image is available for restoration even if there is a catastrophic disk or hardware failure. Keep only a minimum number of backup files on the appliance. After you download or archive the Safeguard Backup Files (.sgb), use Delete to remove them from the desktop client application. You can set the maximum number of backup files you want Safeguard for Privileged Passwords to retain on the appliance in Backup and Retention settings.
For maximum backup protection, Appliance Administrators can configure the cluster wide GPG public key or password encryption. Either will protect all subsequent backups generated from each appliance in the cluster. GPG protection will apply when downloaded or archived. Password protection will apply when generated. For details, see:
Go to Backup and Restore:
web client: Navigate to 
Backup and Retention | Backup and Restore.
desktop client: Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.
The Backup and Restore page lists this information for the backups that are currently in the database.
Table 182: Backup and Restore: Properties
| Date |
The date of the backup |
|
Time
desktop client |
The time of the backup |
| Progress |
The status of the backup: Running or Complete |
| File Size (MB) |
The size of the backup file in megabytes |
| Appliance Name |
The name of the appliance |
| Appliance Version |
The version of the Safeguard for Privileged Passwords Appliance |
|
Protection Type |
Hover over an icon to view the type of protection:
 (default) Standard protection: No password or GPG key is required.
 GPG public key protection: A private key is required to upload the backup to be restored.
 Password protection: A password is required to restore the backup. |
| User |
The name of the user that created the backup |
| Last Archived Date |
The date the selected backup ran |
| Archive Server Name |
The name of the server on which the backup was archived |
|
File Name |
The Safeguard backup file name which is an .sgb file. |
Use these toolbar buttons to manage Safeguard for Privileged Passwords backups. The tools in the desktop client may be in a different order.
Table 183: Backup and Restore: Toolbar
 Run Now |
Create a backup copy of the data that is currently on the appliance. For more information, see Run Now. |
 Remove |
Remove the selected backup file from the Backups page and the Safeguard for Privileged Passwords database. The backup is immediately removed. |
|
 Download
|
Save the selected backup file in a location on your appliance. For more information, see Download a backup. |
|
( web client only) Download VM Compatible |
( web client) Use this option to download a VM compatible backup, which can then be uploaded and restored on a Safeguard for Privileged Passwords virtual machine. In order to download a VM compatible backup it must have been created with password or GPG public key protection settings. To enable the option to download a VM compatible backup of a hardware appliance, see Authorize VM Compatible Backups (web client).
IMPORTANT: You cannot upload a backup to hardware that has been downloaded from hardware as VM compatible. |
 Upload |
Retrieve a backup file from a file location and add it to the Backups page list. For more information, see Upload a backup. |
|
Restore |
For the selected backup file, overwrite the current data and restore Safeguard for Privileged Passwords to the selected backup. For more information, see Restore a backup. |
|
 Archive
|
Store the selected backup file on an external archive server. For more information, see Archive backup. |
 Settings |
|
 Refresh |
Update the list of backup files on the Backups page. |
Run Now
You can click Run Now to manually trigger and create a new backup. If password or GNU Privacy Guard (GPG) encryption is set for appliance or on the primary appliance for cluster-wide encryption, those encryption settings are enforced when you select Run Now.
If you have selected Send to archive server, the backup will be sent to the archive server. For more information, see Backup settings.
To create a new backup
- Navigate to Backup and Restore:
- web client: Navigate to Backup and Retention | Backup and Restore.
- desktop client: Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.
- Click
Run Now. In the web client, an Adding backup file progress bar displays to let you know the process is Running.
- If password encryption is required on an appliance or a primary appliance for cluster-wide backup encryption, you are prompted to enter the password. If encryption is set, make sure the password or private GPG key is available for restoring the backup later, if necessary. For more information see, Backup and restore, Backup protection settings.
- Verify that the Safeguard Backup File (.sgb) has been created.
|
|
Caution: If you restore a backup that is older than the Maximum Password Age set in the Local Login Control settings, all user accounts (including the bootstrap administrator) will be locked out and you will have to reset all of the user account passwords. To avoid this situation, you can reset the Maximum Password Age to zero before you perform the backup, then reset it after the restore. |
TIP: As a best practice, perform backups more frequently than the Maximum Password Age setting.
|
|
Caution: Safeguard for Privileged Passwords can not restore any access request workflow events in process at the time of a backup. |
|
|
CAUTION: When restoring a backup that was created with a Hardware Security Module integration in place, the encryption key used at the time of the backup creation needs to still be present and accessible by the Safeguard for Privileged Passwords appliance. If not, the appliance will not be able to verify the Hardware Security Module configuration used to encrypt the data in the backup. You will be allowed to continue with the restore, however the Safeguard for Privileged Passwords appliance will most likely Quarantine in the process, so this is not recommended. |
Download a backup
Safeguard for Privileged Passwordsallows you to save a selected backup file in a location on your computer. Safeguard for Privileged Passwords copies the selected backup file; it does not remove the backup from the list displayed on the Backup and Restore page. An Appliance Backup Downloaded event is generated and sent to the audit log when a backup is downloaded from the appliance. The event will note if the backup was downloaded as VM compatible. To remove a file from the list display, select the file and click Remove.
To download the backup file
- Go to Backup and Restore:
- web client: Navigate to Backup and Retention | Backup and Restore.
- desktop client: Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.
-
Select a backup file:
-
Download: Use this option to save the selected backup file in a location on your appliance.
-
( web client only) Download VM Compatible: Use this option to download a VM compatible backup, which can then be uploaded and restored on a Safeguard virtual machine. In order to download a VM compatible backup it must have been created with password or GPG public key protection settings. This is only available on hardware appliances once Authorize VM Compatible Backups (web client) has been requested and approved.
IMPORTANT: You cannot upload a backup to hardware that has been downloaded from hardware as VM compatible.
- Based on your client:
-
web client: The .sgb file is downloaded to the browser's Download folder as defined in the browser settings. The file has a name similar to the following which includes the date: 946d66a4fecb4359a8b01fab75519d80_Safeguard_Backup_20200617-165625.sgb
NOTE: There is no difference in the downloaded backup filename for regular download versus VM Compatible download.
When y
- desktop client: Browse to select a location of your choice. Give the file a name and click OK.
Upload a backup
Safeguard for Privileged Passwordsallows you to retrieve a Safeguard Backup File (.sgb) from a file location and add it to the Safeguard for Privileged Passwords Backup and Restore page list for the appliance. For more information, see Restore a backup.
An Appliance Backup Uploaded event is generated and stored in the audit log when a backup is successfully uploaded to the appliance. An Appliance Backup Upload Failed event is generated and stored in the audit log when a backup upload fails on the appliance.
Backups generated and downloaded from a virtual machine can only be uploaded to a virtual machine. Backups generated and downloaded on hardware appliances can only be uploaded to a hardware appliance. Backups generated and downloaded as VM compatible on hardware appliances can only be uploaded to virtual machines.
To upload a backup file
IMPORTANT: Once you start uploading a backup, do not leave or refresh the page. Doing so will cause the browser to lose track of the upload and you will have to restart the process.
- If a GPG public key was used to encrypt the backup, the private key holder must decrypt the Safeguard Backup File (.sgb) before it can be uploaded to Safeguard for Privileged Passwords. For more information, see Backup protection settings.
- To upload Safeguard Backup File (.sgb), go to Backup and Restore:
- web client: Navigate to Backup and Retention | Backup and Restore.
- desktop client: Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.
- Click
Upload.
- Browse to select the backup file and click Open. The Uploading backup file progress bar displays. When complete, the file is uploaded and is now available to be restored. For more information, see Restore a backup.
