Overview: Backing up and restoring VSatellites
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure AWS connection
- Configure Azure Key Vault connection
-
- Workload Identity Federation authentication
- Workload Identity Federation - Azure Identity Provider authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Workload Identity Federation authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Supported OIDC claims
-
-
-
-
- Create an F5 BIG-IP LTM machine
- Create a Microsoft Azure Private Key Vault machine
- Create a Microsoft IIS machine
- Create a Microsoft Windows (PowerShell) machine
- Create a Microsoft SQL Server machine
- Create a Common KeyStore machine
- Create a Citrix ADC machine
- Create an Imperva WAF machine
- Create a VMware NSX Advanced Load Balancer (AVI) machine
- Create an A10 Thunder ADC machine
- Create a Cloudflare machine
- Create Kemp Virtual LoadMaster machine
- Create a Palo Alto Panorama machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing certificate lifecycle settings
- Reissuing certificates in Next-Gen Trust Security
- Downloading certificates, certificate chains, and keystores
- Retiring, recovering, and deleting certificates
- Finding certificates in the certificate inventory
- Importing certificates from a CA using EJBCA
- Notification Center overview
- Domain-based validation for external emails
- Managing user accounts
- Troubleshooting
Overview: Backing up and restoring VSatellites
VSatellites are designed to be lightweight and disposable (stateless), allowing you to add, remove, and reconnect them as needed.
Recovery behavior depends on how the tenant-level Data Encryption Key (DEK) is protected.
Warning: To recover successfully from a catastrophic event, backing up your DEK is not enough. You must also ensure at least one VSatellite remains in your Next-Gen Trust Security account.
Best practices for VSatellite recovery
Carefully review and follow these best practices to ensure the proper functioning of your VSatellites:
- Back up your DEK immediately after installing your first VSatellite.
- Regularly verify that at least one VSatellite remains in your account.
- Store your DEK backup in a secure, access-controlled location.
- Never delete all VSatellite from your account—even with a DEK backup, recovery is impossible if none remain.
- Periodically review your backup and recovery procedures with your team.
How DEK protection mode affects recovery
Software-based DEK
- The DEK can be exported and backed up.
- Disaster recovery is supported using a backed-up DEK file.
- The Recovery wizard and vsatctl recover are supported.
HSM-protected DEK
- The DEK is generated and stored in an HSM and cannot be exported.
- Disaster recovery using a DEK backup is not supported.
- The Recovery wizard and vsatctl recover are not supported.
- Recovery depends on restoring access to the HSM and ensuring the DEK remains present in the configured partition.