Skip to content

Backing up your data encryption key (DEK)

The DEK should be backed up immediately after you deploy your first VSatellite.

As long as at least one of your VSatellites is functioning, you don't need to restore the DEK from a backup copy because it's distributed to other VSatellites automatically. However, backing up the DEK can help you recover from the scenario in which all of your VSatellites have become permanently inoperable.

Prerequisites

Before backing up your DEK, review the following:

  • Have access to your Venafi API key.

    Where do I find my API key?

    In TLS Protect Cloud, click your user avatar, then click Preferences.

    Learn how to get an API key.

  • Have permission to run the vsatctl export command with root privileges.

    Why do I have to run this command with root privileges?

    The vsatctl export command connects to the VSatellite cluster, requiring access to credentials stored in /etc/rancher/k3s/k3s.yaml. This file is only accessible to the root user.

    If you are already logged in as the root user, you can omit the sudo command.

To back up your DEK

  1. Open a command prompt and connect to the server where a working VSatellite is running.
  2. Run the following command. Be sure to replace , , and with your own specific data:

sudo ./vsatctl export --api-key <api-key> --passphrase <secret_passphrase> --file path/to/dek/file.pem
- <api-key>: Your specific API key. - <secret_passphrase>: Your specific secret passphrase. - <path/to/dek/file.pem>: The file path where you want to save the DEK.

After running the command, store the DEK in a secure location.

What's next

If for any reason all of your VSatellites have become permanently inoperable, use the import command to restore the DEK.

Related links