17. Backup and Restore

In any case there are two things that need to be backed up:

  1. Token database
  2. Encryption key

Of course it might make sense to backup other configuration files, if you made any changes to them. These might be:

  1. /etc/linotp2/linotp.ini
  2. /etc/apache2/sites-available/linotp2
  3. /etc/freeradius/clients.conf
  4. /etc/freeradius/*

But usually the above files will have only minor changes, which are easy to remember. The linotp package comes with a backup and restore script. To backup your data run:

linotp-backup

The script will add a time stamp into the backup files, so that you will be able to have more than one backup. It will also ask you for a passphrase to protect the encryption key, so that the encryption key can be stored outside of the LinOTP server. To restore your data run:

linotp-restore <SQL-dump> <encKey-File>

17.1. Disaster Recovery

In case of a disaster recovery, when you need to setup a complete new LinOTP server you need at least the backup of the encryption key and the database file.

  1. Install the LinOTP server

  2. Setup the LinOTP server accordingly.

  3. Copy the encryption key and the the database backup to the server.

  4. Run the command:

    linotp-restore <sql-file> <encKeyFile>
  5. Your backup data might be a bit older. i.e. the HMAC counter of the tokens might be out of sync with the data in the database. So ask your users to go to the self service portal and resynchronize their tokens.

  6. If you made any other changes to the FreeRADIUS server like the shared secrets in the clients.conf or to the Apache server, you need to modify those files accordingly.