Backing up your data encryption key (DEK)¶
The DEK should be backed up immediately after you deploy your first VSatellite.
As long as at least one of your VSatellites is functioning, you don't need to restore the DEK from a backup copy because it's distributed to other VSatellites automatically. However, backing up the DEK can help with recovery only if at least one VSatellite entry still exists in your Certificate Manager - SaaS account. If all VSatellites are deleted, recovery is impossible—even with a DEK backup.
Software-based DEK only
Backing up the DEK using vsatctl export is supported only when VSatellites use software-based DEK protection.
If your tenant is configured for HSM-protected DEK, exporting the DEK is not supported.
Prerequisites¶
Before backing up your DEK, make sure you have permission to run the vsatctl export command with root privileges.
??? optional-css-class "Why do I have to run this command with root privileges?"
The `vsatctl export` command connects to the VSatellite cluster, requiring access to credentials stored in `/etc/rancher/k3s/k3s.yaml`.
This file is only accessible to the `root` user.
If you are already logged in as the `root` user, you can omit the `sudo` command.
To back up your DEK
- Open a command prompt and connect to the server where a working VSatellite is running.
-
Run the following command. Be sure to replace
secret_passphraseandpath/to/dek/file.pemwith your own specific data:sudo ./vsatctl export --passphrase <secret_passphrase> --file path/to/dek/file.pem<secret_passphrase>: Your specific secret passphrase.<path/to/dek/file.pem>: The file path where you want to save the DEK.
After running the command, store the DEK in a secure location.
What's next¶
Backing up your DEK is critical, but recovery is only possible if at least one VSatellite remains in your Certificate Manager - SaaS account.