Fujitsu Enterprise Postgres enables you to use the five backup and recovery methods described below. Regardless of the method you use, you must back up the keystore and the entire opencryptoki token directory of the slot allocated to Fujitsu Enterprise Postgres at the same time.
Note that you must store the database and the keystore on separate data storage media. Storing both on the same data storage medium risks the danger of the encrypted data being deciphered if the medium is stolen.
Note
When recoverying the database, it is necessary to restore the configuration of both Crypto Express Adapter Card and openCryptoki which contains the same key as was set at the time of taking backup so that the recovered database can cooperate with hardware security module.
Backup and recovery using WebAdmin
Backup
WebAdmin backs up encrypted data.
Back up the key store and the entire opencryptoki token directory of the slot allocated to Fujitsu Enterprise Postgres after backing up the database.
Recovery
Restore the keystore and the entire opencryptoki token directory of the slot allocated to Fujitsu Enterprise Postgres to their state at the time of database backup. Refer to "5.7.5 Backing Up and Recovering the Keystore" for details.
Enable automatic opening of the keystore in accordance with the procedure described in "5.7.4 Enabling Automatic Opening of the Keystore". Then, use WebAdmin to recover the database.
Backup and recovery using the pgx_dmpall and pgx_rcvall commands
Backup
The pgx_dmpall command backs up the encrypted data.
Back up the key store and the entire opencryptoki token directory of the slot allocated to Fujitsu Enterprise Postgres after backing up the database.
Recovery
Restore the keystore and the entire opencryptoki token directory of the slot allocated to Fujitsu Enterprise Postgres to their state at the time of the database backup.
Configure automatic opening of the key store as necessary.
If automatic opening of the keystore is not enabled, execute the pgx_rcvall command with the --user-pin option specified. This will display the prompt for the user pin to be entered.
Example
Back up the database and the keystore on May 1, 2020.
> pgx_dmpall -D /database/inst1 > cp -p /key/store/location/keystore.ks /keybackup/keystore_20200501.ks > tar -cf token_directory_fep_20200501.tar /var/lib/opencryptoki/fep
Specify the following in the pgx_dmpall command:
Specify the data storage destination in the -D option. If the -D option is omitted, the value of the PGDATA environment variable is used by default.
Recover the database and the keystore from the backup taken on May 1, 2020.
> cp -p /keybackup/keystore_20200501.ks /key/store/location/keystore.ks > pgx_rcvall -B /backup/inst1 -D /database/inst1 --user-pin
Specify the following in the pgx_rcvall command:
Specify the data storage destination in the -D option. If the -D option is omitted, the value of the PGDATA environment variable is used by default.
Specify the backup data storage directory in the -B option.
The --user-pin option prompts you to enter the user pin to open the keystore.
Dump and restore using SQL
Backup
The files output by the pg_dump and pg_dumpall commands are not encrypted. You should, therefore, encrypt the files using OpenSSL commands or other means before saving them, as described in "5.9 Importing and Exporting the Database" below.
Back up the key store and the entire opencryptoki token directory of the slot allocated to Fujitsu Enterprise Postgres after backing up the database.
Restore
If the backup data has been encrypted using, for example Open SSL commands, decrypt that data.
The data generated by the pg_dumpall command includes a specification to encrypt tablespaces by default. For this reason, the psql command encrypts tablespaces during restoration.
File system level backup and restore
Backup
Stop the instance and backup the data directory and the tablespace directory using the file copy command of the operating system. The files of encrypted tablespaces are backed up in the encrypted state.
Back up the key store and the entire opencryptoki token directory of the slot allocated to Fujitsu Enterprise Postgres after performing the backup.
Restore
Restore the keystore and the entire opencryptoki token directory of the slot allocated to Fujitsu Enterprise Postgres to their state at the time of the database backup.
Stop the instance and restore the data directory and the tablespace directory using the file copy command of the operating system.
Continuous archiving and point-in-time recovery
Backup
The pg_basebackup command backs up the encrypted data as is.
Back up the key store and the entire opencryptoki token directory of the slot allocated to Fujitsu Enterprise Postgres after performing the backup.
Recovery
Restore the keystore and the entire opencryptoki token directory of the slot allocated to Fujitsu Enterprise Postgres to their state at the time of the database backup.
Configure automatic opening of the key store as necessary.
If automatic opening of the keystore is not enabled, execute the pg_ctl command to start the instance with the --user-pin option specified. This will display the prompt for the user pin to be entered.
See
Refer to "pg_ctl" under "Reference" in the PostgreSQL Documentation for information on the pg_ctl command.
Refer to "Reference" in the PostgreSQL Documentation for information on the following commands:
psql
pg_dump
pg_basebackup
Refer to the Reference for information on the following commands:
pgx_rcvall
pgx_dmpall
pg_dumpall
