Restoring the data encryption key (DEK)¶

Because your DEK contains key material shared among your VSatellites, the ability to restore it from a backup is critical.

You should only restore your DEK in cases where none of your VSatellites are operable. If you have at least one remaining and functioning VSatellite, you don't need to restore the DEK because it's distributed to other VSatellites automatically.

So if you have no remaining and functioning VSatellites, use the import command to restore the DEK. However, you can only restore DEKs for which you've created a backup.

Prerequisites¶

Before restoring your DEK, review the following:

• Prepare to deploy a new VSatellite.

• Have access to your Venafi API key.

  Where do I find my API key?

  In TLS Protect Cloud, click your user avatar, then click Preferences.

  Learn how to get an API key.

• Have permission to run the vsatctl import command with root privileges.

  Why do I have to run this command with root privileges?

  The vsatctl import command connects to the VSatellite cluster, requiring access to credentials stored in /etc/rancher/k3s/k3s.yaml. This file is only accessible to the root user.

  If you are already logged in as the root user you can omit the sudo command.

To restore a DEK¶

1. Deploy a new VSatellite.
2. From a command prompt, connect to the server where your new VSatellite is running.
3. Run the following command:

sudo ./vsatctl import --api-key <api-key> --file path/to/dek/file.pem --passphrase <secret_passphrase>

After running the command, the DEK is redistributed to the functioning VSatellite and your DEK is restored.

Related links¶

• Deploy a new VSatellite
• Troubleshooting VSatellite connection issues