SOAR KeyVault backup

The KeyVault stores all of the passwords that are used in the SOAR Platform. If the KeyVault is lost, it results in a considerable loss of data. For that reason, the SOAR Platform writes a backup of the KeyVault files to the system database when passwords are added or removed, and after each system upgrade. For example, a backup is written to the database when you add a Threat Source, such as IBM® X-Force® Exchange.

The default installation includes the KeyVault password in this backup. If the KeyVault password is encrypted, the encrypted password is backed up.

The net result of this approach is that if you are currently backing up your database, it includes your KeyVault backup. If you choose to NOT back up your KeyVault password (should_backup_password is set to false in keys.properties), then you must ensure that the KeyVault files are backed up separately.

To restore the most recent backup, use the following command.
sudo resutil keyvaultrestore -dir <directory>

The -dir argument specifies the location where you want to restore the backup. This command restores the backup from the database to the directory that you specified. If the existing KeyVault is lost or corrupted, you can use the backup by renaming the directory to /crypt/keyvault. Make sure that the permissions and ownership of the files are the same as the original.

To restore a different backup, you must provide the -date argument, which is specified in this format, yyyy-MM-ddThh:mm:ss. For example,
sudo resutil keyvaultrestore -dir somedir -date  2020-05-26T11:00:00