Backing Up Your Data Encryption Key (DEK)
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure Akamai Connection
- Configure AWS Connection
- Configure Azure Key Vault Connection
-
- Workload Identity Federation Authentication
- Workload Identity Federation - Azure Identity Provider Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Workload Identity Federation Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Supported OIDC Claims
-
-
-
- Working with the Built-in CA
- Add AWS Public CA
- Add AWS Private CA
- Add DigiCert One Certificate Authority
- Add Entrust
- Add GlobalSign Atlas
- Add GlobalSign MSSL
- Add GoDaddy
- Add Google Cloud Private CA
- Add a HID PKIaaS CA
- Add Certificate Manager - Self-Hosted
- Set Up an OpenSSL Certificate Authority Connector
- Create a Sectigo Certificate Manager Certificate Authority
- Add Zero Touch PKI
- Set Up Certificate Expiration Notifications
- Using a Custom DNS Provider
-
-
-
-
- Create an F5 BIG-IP LTM Machine
- Create a Microsoft Azure Private Key Vault Machine
- Create a Microsoft Azure Application Registration Machine
- Create a Microsoft IIS Machine
- Create a Microsoft Windows (PowerShell) Machine
- Create a Microsoft SQL Server Machine
- Create a Common KeyStore Machine
- Create a Citrix ADC Machine
- Create an Imperva WAF Machine
- Create a VMware NSX Advanced Load Balancer (AVI) Machine
- Create an A10 Thunder ADC Machine
- Create a Cloudflare Machine
- Create Kemp Virtual LoadMaster Machine
- Create a Palo Alto Panorama Machine
- Create a Radware Alteon Machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
- Provision Certificates to Radware Alteon
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing Certificate Lifecycle Settings
- Reissuing Certificates in Next-Gen Trust Security
- Downloading Certificates, Certificate Chains, and Keystores
- Retiring, Recovering, and Deleting Certificates
- Finding Certificates in the Certificate Inventory
- Importing Certificates from a CA Using EJBCA
- Domain-Based Validation for External Emails
-
- Create a Workload Identity Management or Discovery Agent Built-in Account
- Create an OCI Registry Built-in Account
- Create a Certificate Manager - Self-Hosted Built-in Account
- Create a Scanafi Built-in Account
- Toggling a Built-in Account on or Off
- Editing Built-in Accounts
- Deleting Existing Built-in Accounts
- Renew Existing Built-in Accounts
- Troubleshooting
Backing Up Your Data Encryption Key (DEK)
The DEK should be backed up immediately after you deploy your first VSatellite.
As long as at least one of your VSatellites is functioning, you don't need to restore the DEK from a backup copy because it's distributed to other VSatellites automatically. However, backing up the DEK can help with recovery only if at least one VSatellite entry still exists in your Next-Gen Trust Security account. If all VSatellites are deleted, recovery is impossible—even with a DEK backup.
Important (Software-based DEK only):Backing up the DEK using vsatctl export is supported only when VSatellites use software-based DEK protection.
If your tenant is configured for HSM-protected DEK, exporting the DEK is not supported.
Prerequisites
Before backing up your DEK, review the following:
- Have access to your Venafi API key.
Where do I find my API key?In Next-Gen Trust Security, click your user avatar, then click Preferences.
- Have permission to run the vsatctl export command with root privileges.
Why do I have to run this command with root privileges?The vsatctl export command connects to the VSatellite cluster, requiring access to credentials stored in /etc/rancher/k3s/k3s.yaml.This file is only accessible to the root user.
If you are already logged in as the root user, you can omit the sudo command.
To Back up Your DEK
- Open a command prompt and connect to the server where a working VSatellite is running.
- Run the following command. Be sure to replace api-key, secret_passphrase, and path/to/dek/file.pem with your own specific data:sudo ./vsatctl export --api-key <api-key> --passphrase <secret_passphrase> --file path/to/dek/file.pem
- <api-key>: Your specific API key.
- <secret_passphrase>: Your specific secret passphrase.
- <path/to/dek/file.pem>: The file path where you want to save the DEK.
After running the command, store the DEK in a secure location.
What's Next
Backing up your DEK is critical, but recovery is only possible if at least one VSatellite remains in your Next-Gen Trust Security account.