Backup & Restore
Backup & Restore
Section titled “Backup & Restore”Protect your SSH-KLM deployment with comprehensive backup strategies.
What to Backup
Section titled “What to Backup”| Component | Location | Priority |
|---|---|---|
| Database | PostgreSQL | Critical |
| Configuration | /etc/ssh-klm/ | Critical |
| Encryption Keys | Vault/KMS | Critical |
| Agent Backups | /var/lib/ssh-klm/backups | High |
| Logs | /var/log/ssh-klm/ | Medium |
Database Backup
Section titled “Database Backup”PostgreSQL Dump
Section titled “PostgreSQL Dump”# Full backuppg_dump -h localhost -U sshklm -d sshklm_production \ --format=custom \ --file=/backup/sshklm-$(date +%Y%m%d).dump
# Compressed backuppg_dump -h localhost -U sshklm -d sshklm_production \ | gzip > /backup/sshklm-$(date +%Y%m%d).sql.gzAutomated Backup Script
Section titled “Automated Backup Script”#!/bin/bashBACKUP_DIR="/backup/sshklm"RETENTION_DAYS=30DATE=$(date +%Y%m%d_%H%M%S)
# Create backup directorymkdir -p $BACKUP_DIR
# Database backuppg_dump -h localhost -U sshklm -d sshklm_production \ --format=custom \ --file=$BACKUP_DIR/db-$DATE.dump
# Configuration backuptar -czf $BACKUP_DIR/config-$DATE.tar.gz \ /etc/ssh-klm/ \ /var/lib/ssh-klm/
# Cleanup old backupsfind $BACKUP_DIR -type f -mtime +$RETENTION_DAYS -delete
echo "Backup completed: $DATE"Cron Schedule
Section titled “Cron Schedule”# Daily at 2 AM0 2 * * * /opt/scripts/backup-sshklm.sh >> /var/log/sshklm-backup.log 2>&1Configuration Backup
Section titled “Configuration Backup”# Backup configurationtar -czf sshklm-config-backup.tar.gz \ /etc/ssh-klm/ \ /opt/ssh-klm/.env
# Include Kubernetes secrets (if applicable)kubectl get secrets -n ssh-klm -o yaml > k8s-secrets-backup.yamlEncryption Key Backup
Section titled “Encryption Key Backup”⚠️ Critical: Without encryption keys, backed-up data cannot be restored.
HashiCorp Vault
Section titled “HashiCorp Vault”# Export Vault data (requires root token)vault operator raft snapshot save vault-snapshot.snapAWS KMS
Section titled “AWS KMS”KMS keys are managed by AWS. Ensure:
- Key deletion protection is enabled
- Cross-region replica exists
- Key policy allows recovery
Restore Procedures
Section titled “Restore Procedures”Database Restore
Section titled “Database Restore”# Stop SSH-KLM servicessudo systemctl stop ssh-klm
# Restore databasepg_restore -h localhost -U sshklm -d sshklm_production \ --clean --if-exists \ /backup/sshklm-20260106.dump
# Start servicessudo systemctl start ssh-klmConfiguration Restore
Section titled “Configuration Restore”# Restore configurationsudo tar -xzf sshklm-config-backup.tar.gz -C /
# Verify configurationsudo ssh-klm config validate
# Restart servicessudo systemctl restart ssh-klmFull Disaster Recovery
Section titled “Full Disaster Recovery”- Provision infrastructure (same or new)
- Restore encryption keys to Vault/KMS
- Restore database from backup
- Restore configuration files
- Re-register agents (if needed)
- Verify connectivity and data integrity
Verification
Section titled “Verification”# Test backup integritypg_restore --list /backup/sshklm-20260106.dump
# Verify database consistencyssh-klm admin db:verify