OpsCenter has logic to backup a system_key along with data encrypted by it. The backup process works fine, but the restore process for these backups has been broken and likely to fail as far back as OpsCenter 5.2. It is still possible to restore from such a backup, but will require a few additional steps.
- Recreate the system_key file. In the snapshot files find the schema.json file for the dse_system keyspace. In that file there will be an entry for "opscenter-system-key". Simply put the contents of that entry in a file called system_key for all nodes in the cluster. The default location for DSE encryption keys is /etc/dse/conf, but the value is configurable in dse.yaml.
- Restore the dse_system keyspace from the backup by itself. This should be easy to do from the ui. The reason for this is that a record in dse_system.encrypted_keys has to exactly match what the backed up table used when encrypting data.
- Restore the rest of the backup. It should work at this point without any special effort.
When released OPSC-12914 will provide support for backing up multiple encryption keys and will correct the bugs so extra steps are no longer needed.
Comments
0 comments
Please sign in to leave a comment.