Skip to content

Recovering lost VSatellites

Use this procedure to recover a disconnected VSatellite that appears in a Lost Connection state on the VSatellites page. You can use the Recovery wizard to restore a single node or perform a full disaster recovery if all VSatellites are lost.

The Recovery wizard supports both scenarios:

  • Disaster recovery – When all of your VSatellites are unreachable, you’ll need to manually supply a previously exported DEK file and passphrase.
  • Node reinstallation – When one or more VSatellites are lost but at least one is still active, you only need to supply a recovery code. The DEK is handled automatically.

Prerequisite

Before starting the recovery process, ensure that you have:

  • The vsatctl CLI must be available on the host performing the recovery and make sure you are running the latest version.
  • The passphrase for the DEK used in your environment; this is the passphrase you used when exporting the DEK.
  • The recovery code provided by the wizard (included when you copy the command).
  • For disaster recovery only: a previously exported DEK file; this is the backup copy of your DEK. Learn more

To recover a disconnected VSatellite

  1. Sign in to Venafi Control Plane.
  2. Click Configurations > VSatellites.
  3. Locate a VSatellite with status Lost Connection.
  4. Click Recover.
    • This button appears only on disconnected nodes.
    • In a disaster recovery scenario (all nodes disconnected), the Recover button appears on all nodes.
    • In a node reinstallation scenario, it appears only on the affected node. Recover option appears only when all VSatellites are lost
  5. In Step 1 – Download:
    • (Optional) Click the system requirements link to review prerequisites.
    • Click Copy to copy the vsat download command and run it in your terminal.
    • Click Continue.
  6. In Step 2 – Preflight:
    • Review the system requirements again if needed.
    • Click Copy to copy the preflight check command and run it in your terminal.
    • Verify the output is successful.
    • Click Continue.

  7. In Step 3 – Recover:

    • Click Copy to copy the vsatctl recover command, paste it into your terminal, and then edit the following, depending on your situation:
      • If this is a disaster recovery, specify the path to your DEK file (--dek /path/to/dek.pem), and enter the DEK passphrase.
      • If this is a node reinstallation, you do not need to specify the DEK file.
    • In both cases:

      • The recovery code should be included in the command you copied from the wizard.

        Example: 

        chmod +xx ./vsatctl && sudo ./vsatctl recover\
  --dek /backup/dek115.pem \
  --passphrase P23x225zw \
  --recovery-code d8923dc2-0a89-8765-b416-8c9693847122

  8. After the command completes, click Test to verify that the VSatellite is online.

    If the test fails, ensure the recovery command completed successfully, then rerun the test.

  9. Click Done to close the wizard.

The restored VSatellite should now appear in Active state on the TLS Protect Cloud dashboard and resume communication with the control plane.

No additional configuration is required. The recovered VSatellite replaces the original one in the system, and all settings or services that were using the old node will continue to work with the recovered node automatically.