After you enabled or changed the AEK in the Cloud Pak for Data System system, you can perform a backup of the local
keystore.
Procedure
-
Log in as
apadmin
or equivalent user in any of the Control Nodes of the
system.
-
Run the following command:
apsedbackup backup --dir <directory path>
where
directory_path is a location in
Cloud Pak for Data System file system to create a compressed
tar
file in.
Example output:
[apadmin@e1n1 ]# apsedbackup backup --dir /tmp/mysedbackup
Backed up key-store to /tmp/mysedbackup/sedsupport.tgz. Now you can move it to external system. After moving the backup outside, delete it from this node.
-
Upload the backup to an external machine as a good security practice. Leaving the backup in
Cloud Pak for Data System can potentially give the other
non-secured users access to the AEK and compromising the data at rest protection.
Example:
[apadmin@e1n1 ]# scp /tmp/mysedbackup/sedsupport.tgz myremoteuser@myremotesystem.domain.com:/backuprepo/latest-sedbackup.tgz
-
After uploading the backup to the external machine, delete the file from the backup directory
in Cloud Pak for Data System.
Example:
[apadmin@e1n1 ]# scp rm -f /tmp/mysedbackup/sedsupport.tgz