Configuring and using Backup
The senhasegura backup files are encrypted using AES-256 encryption. To perform this procedure, you should be in contact with the senhasegura support team.
The senhasegura solution offers, in all its versions, support for system backup and password backup features. The objective of this function is to transfer a faithful copy of system settings and data to a backup server.
All backups performed by the senhasegura are stored in the client's backup solution. Thus, no data is stored in the solution's databases.
Using the solution senhasegura in production without performing the proper backup configuration may make system recovery impossible and cause loss of critical data in case of hardware failure or file system corruption.
The purpose of the backup resource is to allow the rescue of data information, application and system settings in case of data loss or unavailability of virtual or physical resources.
Generally, the backup is used to ensure the history of data in accordance with the company's backup policy, and to solve only the problem of recovery of historical information, not the availability of the solution.
senhasegura offers two types of backup:
Backup of secrets (Break the glass): guarantees that the privileged data registered in the passwords are available in encrypted format. The data can be stored in an external environment to the instance and protected by a master password for consultation in case of emergency. The backup of passwords is not used for system restoration, but for the client to have access to the credentials passwords even in case of total unavailability of the senhasegura solution.
System Backup: ensures that system information such as data, senhasegura settings or the environment where it is running, programs, applications and access records can be copied periodically to a client's backup repository following the client's security policies. This type of backup has a long reconstruction time and requires maneuvering space for its reconstitution.
Video Backup of proxy sessions: ensures that the video recordings of proxy sessions performed through senhasegura are available in encrypted format.
From version 3.10 Users and the Access Keys of the DevSecOps module are included in the password backup. The backup of the secrets (Console Credential and Access Keys) are performed in a dedicated directory.
Prerequisites for configuration
In order for the backup to be properly performed, and thus avoid compromising the client's data, the administrator must perform the following activities:
Having a remote unit available and accessible by senhasegura
The remote drive must be mounted on the file system of the Primary instance
Activate Orbit's backup system
Checking the senhasegura licenses
Passwords must not contain the characters \, & and ! in remote partition mapping
The purpose of system backup is to ensure the recovery of the environment and settings, as well as historical data. Data recovery occurs whenever information loss or failure is detected without possibility of correction by the system.
The backup routines are executed daily, at a predetermined time (5AM), and the data stored in the client's backup directory.
The following information must be provided:
Data for recovery
Configuration files (RECOMMENDED)
Database (RECOMMENDED)
Session logs (RECOMMENDED)
Videos (OPTIONAL, due to the great demand of storage volume)
Periodicity: Daily
Destination path and connection format: remote partition (CIFS, NFS) or remote server (RSync)
User and access passwords
E-mail alert for failure cases
Events of unavailability of backup infrastructure should be treated as high criticality. These incidents should be resolved as soon as possible in order to avoid unavailability of password data.
The time period for storing the history depends on the client's backup management.
System backup configuration
To modify the senhasegura backup settings, access the Orbit menu and fill in the information:
I would like to enable backup application?: This option indicates if the application backup is active or inactive
I would like to also activate the backup session files?: This option indicates whether the backup of the session files will be active or inactive.These session files refer to the faithful video recordings of the performed proxy sessions.
I would like to mount a remote partition?: If this option is enabled, you can mount a remote partition for backup:
- How will the how to send the backup files?: This option indicates whether the backup files will be sent to a remote partition (via CIFS or NFS protocols) or to a remote server (via rsync protocol)
Click the Save button to finish the backup configuration.
This screen also has a shortcut button to add a remote partition, click the button if you wish and follow the instructions in the Managing disks and partitions section.
Restoring a backup
The senhasegura backup files are encrypted. To perform this procedure, you should be in contact with the senhasegura support team.
The backups executed are exported to the remote drive of the customer's choice. But a copy of the backup is kept inside the instance to speed up the restore process if necessary.
The senhasegura enginer will execute the backup file opening procedure (decrypt) to get the backup file ready to be restored.
Once the backup file is decrypted, the senhasegura engineer should use the orbit backup command line tool to restore the target version.
Warning. This procedure will restore all database data and schema to the desired past time. You should restore all other binaries if performed a system upgrade was between the current time and the selected backup file. The binary application files can be restored using the Debian APT tool.
Logs
You can observe the execution of the backup through the CRON schedule in the report Orbit Config Manager ➔ Logs ➔ Backup.
Backup Report
In the Credential Backup report under Settings ➔ Backup ➔ Credentials, you get information if the credential complies with the password policies.
1. Password Policy: Lists the password policy related to the credential, as configured. For example:
- Low
- Average
- High
two. Conformity:
Yes: In green, if the credential complies with the related policy
No: In red, if the credential does not comply with the related policy
At the time of backup, senhasegura checks the composition of the password with the policy and updates the information on whether or not it is adherent.