- 4 minutes to read
- Print
- DarkLight
- PDF
Backup
- 4 minutes to read
- Print
- DarkLight
- PDF
Backup options
For customers who use a backup agent, we suggest installing the agent on the same server as the remote directory that will store the backup files.
senhasegura supports the following backup options:
- Backup of secrets (Break the glass): Ensures that all confidential data is encrypted. The data can then be stored in an external device – other than the senhasegura instance – and be fully protected, accessible only via a master key in case of emergencies. This backup is not used for system recovery but rather as a way for customers to access their credentials even if senhasegura becomes completely unavailable.
- System Backup: Periodically stores system information such as data, settings for senhasegura and the environment running it, software, applications, and access records in one of the customer's backup repositories and in compliance with the customer's own security policies. Reconstruction may be very time-consuming and requires a lot of disk space.
- Video Backup of proxy sessions: Ensures that all video recordings of senhasegura proxy sessions are encrypted.
The backup of secrets and system backup are created automatically after enabling and setting up the backup feature. To backup the video recordings of proxy sessions, find the option Enable session file backup? and choose Yes.
You will receive an email or SIEM notification if the system loses access to the remote backup directory.
Mount Backup partition
If you want to create your backup in a remote disk partition, go to Orbit Config Manager ➔Settings ➔ Backup. This can be done via CIFS or NFS, or directly using RSYNC. Set the parameter Mount a remote partition? to Yes.
Backup via CIFS or NFS
To create a senhasegura backup via CIFS or NFS:
- Select the option Mount a remote partition (via CIFS or NFS).
- Click Add remote partition. This will open a new window.
- Populate the Remote host and Remote path fields with the details of the server that will store the backup. E.g.,
- Remote host: myserver.com or 10.10.1.5
- Remote path: /files/backup/senhasegura
- Select the protocol:
- Samba (CIFS): requires a user with enough privilege to write files in the directory specified in Remote path. Otherwise, senhasegura will not be able to mount the partition or create the backup. Optional: add a domain if your host server requires it.
- Network File System (NFS): if you choose an NFS mount, don't forget to add senhasegura's IP address to the settings of your Remote NFS Host. Otherwise, senhasegura will not be able to mount the partition or create the backup.
Previously registered credentials can be used as an authentication method. Go to Settings ➔ System parameters ➔ System parameters ➔ Application and add the chosen credential to the field Remote backup credential.
Do not use passwords that contain the characters \, &,
and !
in remote partition mappings.
Backup via Rsync
Requirements
- A user with permission to use Rsync in the target backup device.
- A directory owned by the Rsync user to be used for the backup, for example, /home/senhauser/backup_rsync
- Rsync installed in the backup server
To create senhasegura backups via Rsync, first you will have to set up a rsync server and allow access to the backup server using a public key.
Rsync backups require an SSH key. Add the public key of your senhasegura root user to the list of authorized keys in the backup user’s device.
How to setup Rsync backup
Step 1 - Setting up senhasegura's system backup
- Select the option Send to a remote Linux server (via RSYNC)
- Add the backup User
- Add the backup Server's hostname or IP address, E.g., myserver.com or 10.10.1.5
- Add the Remote path for the backup directory, E.g., “/files/backup/senhasegura."
Step 2 - Setting up your credentials backup
- Go to Orbit ➔ Settings ➔ Backup
- Turn on system and video backups
- Configure a remote partition using Rsync
- Enter the username, device IP address, and path of the backup folder
Step 3 - Get the public key of the root user
- Log in to your senhasegura server as user mt4adm, using SSH and port 59022.
- To get the public key, run the command sudo cat /root/.ssh/id_rsa.pub :
sudo cat /root/.ssh/id_rsa.pub $ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChIgNXVHrjq3ECwVytNb9k2liB5vGFNNtTDdwSYaYW/WQ8 NC0yq70BxcmaQWwFddWfQIQVjMw2WZNkroTsinEZkLHBUN12eMMwNB4izo0iQ70IB8wSj2lQbl/G AYyzQCZQRo486eFHFJVIaTviDpf32D/O6qz6JGvCpRRzx7owZhuscJGfUesl/q0sCZ9DUn79TLtj /lIC+na4s5c1g/SYyO7IkdwQBkeeXJSasdqwe34gbcvbdf5dL5f00EIIEHclg5tBxmt9UQ2yRXu1 GbkbdFF5tllNdUfgy4Eb7K8kCTm/djb1ljzWiZodtzas+gPWZOHWaV8nAl17Zc1+xeL shbupk
- Copy the public key of this terminal.
- Log into the backup server and paste this public key into the “authorized_keys” file of the backup user. This should be the same user specified during the Rsync setup in senhasegura.
vim /home/rsync/.ssh/authorized_keys
Step 4 - Test Rsync backup
- Log in to your senhasegura server as user mt4adm, using SSH and port 59022.
- Run the following command:
sudo orbit backup create
- The command will return an output with the Rsync confirmation and transfer time.
- Check if you can see the files in the Remote path specified for the backup server.
Backup log file
To check the backup logs:
- Log in to your senhasegura server as user mt4adm, using SSH and port 59022.
- Run the command:
tail -f /var/log/orbinibkp.log