19. Backup and Restore

If you are using the LinOTP Virtual Appliance then please consider using the full featured built-in backup and recovery feature as described in Backup and restore.

19.1. Backup database and encryption key

If you do backup LinOTP manually you have in any case two things you need to save:

  1. Token database

  2. Encryption key of the database

For your convenience the LinOTP package comes with a backup script (it saves the token database and the encryption key). To backup your data run:

linotp-backup

The script will add a time stamp to the names of the backup files, so you are able to have more than one backup of LinOTP in the same directory. It will also ask for a passphrase for protecting the encryption key to ensure security in case the encryption key is stored outside of the LinOTP server.

To restore your data at any point run:

linotp-restore <SQL-file> <encKeyFile>

Be aware: Depending on the type of tokens used, they can run out of sync after restoring the database. Please see Point 5 in Disaster Recovery below for a solution.

19.2. Backup additional resources

Of course it might make sense to backup other configuration files, if you made any changes to them. These might be:

  1. /etc/linotp2/linotp.ini

  2. /etc/apache2/sites-available/linotp2

  3. /etc/freeradius/clients.conf

  4. /etc/freeradius/*

Usually the files above will have only minor changes, which are easy to remember (but anyway: better backup them as well…).

An example backup command for these resources:

The script will add a time stamp into the backup files, so that you will be able to have more than one backup. It will also ask you for a passphrase to protect the encryption key, so that the encryption key can be stored outside of the LinOTP server. To restore your data run:

tar -czf /root/linotp_additional_resources_$(date +%F).tar.gz \
/etc/linotp2/linotp.ini /etc/apache2/sites-available/linotp2 \
/etc/freeradius/

19.3. Disaster Recovery

In case of a disaster recovery, when you need to setup a complete new LinOTP server you need at least the backup of the encryption key and the database file.

The recovery procedure could look like this:

  1. Install the LinOTP server.

  2. Setup the LinOTP server accordingly.

  3. Copy the encryption key and the the database backup to the server.

  4. Run the command:

linotp-restore <SQL-file> <encKeyFile>
  1. Your backup data might be a bit older. i.e. the HMAC counter of the tokens might be out of sync with the data in the database. So ask your users to go to the Selfservice Portal and resynchronize their tokens.

  2. If you made any other changes to the FreeRADIUS server like the shared secrets in the clients.conf or to the Apache web server, you need to modify those files accordingly and reload the affected services. If you saved the additional data as described above the restore command could be something like:

tar -C / -xzf /root/linotp_additional_resources_2015-03-23.tar.gz