Backup & Disaster Recovery
Backup & Disaster Recovery
Section titled “Backup & Disaster Recovery”Ensuring business continuity requires robust backup and recovery strategies for your signing infrastructure.
Key Backup
Section titled “Key Backup”- HSM Backups: Reliance on vendor-specific backup mechanisms (e.g. nCipher Security World, Thales Backup tokens).
- Wrapped Keys: Export keys only in wrapped format using a transport key.
- Auditing: Log all backup and restore operations securely.
Disaster Recovery
Section titled “Disaster Recovery”- Maintain active-active or active-passive HSM clusters across regions.
- Perform regular unauthorized restoration drills to verify backup integrity.
- Define RTO (Recovery Time Objective) and RPO (Recovery Point Objective) for signing services.
Considerations
Section titled “Considerations”- Never backup private keys in plaintext.
- Store backup media in secure, offline storage (e.g. physical safe).
- Use quorum authorization for key restoration operations.