Backup and restore practices
When a change occurs, such as adding or changing devices, keys, and certificates, you must back up the IBM Security Guardium Key Lifecycle Manager critical data. IBM Security Guardium Key Lifecycle Manager provides a task that creates a backup file of configuration files, database, and other data. You can restore this backup file to an operating system that is different from the one it was backed up from.
Warning: Failure to back up your critical data properly might result in unrecoverable
loss of all access to your encrypted data. Do not encrypt your backup file, or store a backup file
on an encrypting device. Failure to back up data might also result in a later inconsistency of the
key manager and potential data loss on the storage device.
You can follow these practices:
- Maintain both a primary Guardium Key Lifecycle Manager server and
at least one replica Guardium Key Lifecycle Manager server that
run concurrently. Ensure that a storage device has access to its keys
if the primary server fails.
The Guardium Key Lifecycle Manager server does not provide automatic failover. You must separately set up the necessary device controls to ensure that the replica server is available if the primary server fails.
- Run the backup task whenever you add or change devices, keys, or certificates. Restore the IBM Security Guardium Key Lifecycle Manager backup file to a replica Guardium Key Lifecycle Manager server.
- Do not make changes to the Guardium Key Lifecycle Manager server on the replica computer under normal operating conditions in which a primary server is always available. If failure events cause significant activity on the replica server while the primary server is down, back up the replica server and restore the backup file to the primary server.
- Use only the IBM Security Guardium Key Lifecycle Manager backup and restore tasks to create a backup file. Use only IBM Security Guardium Key Lifecycle Manager to restore the data that the backup file contains. Do not take other manual steps to back up or to restore files.
- Keep backup files in a safe place, separate from the computer on which the Guardium Key Lifecycle Manager server runs. Ensure that function can be rebuilt on a replacement server if files on the primary Guardium Key Lifecycle Manager server are lost. These files might reside at a geographically separate location.