Skip to content

Overview: Backing up and restoring VSatellites

VSatellites are designed to be lightweight and disposable (stateless), allowing you to add, remove, and reconnect them as needed.

Recovery behavior depends on how the tenant-level Data Encryption Key (DEK) is protected.

WARNING!

To recover successfully from a catastrophic event, backing up your DEK is not enough. You must also ensure at least one VSatellite remains in your Certificate Manager - SaaS account.

Best practices for VSatellite recovery

Carefully review and follow these best practices to ensure the proper functioning of your VSatellites:

  • Back up your DEK immediately after installing your first VSatellite.
  • Regularly verify that at least one VSatellite remains in your account.
  • Store your DEK backup in a secure, access-controlled location.
  • Never delete all VSatellite from your account—even with a DEK backup, recovery is impossible if none remain.
  • Periodically review your backup and recovery procedures with your team.

How DEK protection mode affects recovery

Software-based DEK

  • The DEK can be exported and backed up.
  • Disaster recovery is supported using a backed-up DEK file.
  • The Recovery wizard and vsatctl recover are supported.

HSM-protected DEK

  • The DEK is generated and stored in an HSM and cannot be exported.
  • Disaster recovery using a DEK backup is not supported.
  • The Recovery wizard and vsatctl recover are not supported.
  • Recovery depends on restoring access to the HSM and ensuring the DEK remains present in the configured partition.