CzechIdM database backups

Backup jobs and scripts are already prepared, you only need to activate them. This is done using systemd units.

Backups are created in the /data/volumes/czechidm-db/backup/ directory in a form of a gzipped SQL script. You can, optionally, encrypt the backup. Status of the scheduled task can be found using these commands:

To activate scheduled backup tasks, run a timer and activate its automatic start after the operating system starts. Deactivate scheduled backup tasks in the same way, using stop or disable instead.

Backups can be created ad-hoc by running the service iam-czechidm-db-backup.service manually. The service will process backup retention, and then it will create a new backup.

Recovery from a database dump can only be done if CzechIdM (the service iam-czechidm) is not running. The entire recovery can take up to several tens of minutes depending on the size of the database.

This functionality is available since iam-app-czechidm-db version 0.4-0 and only with the container image bcv-postgres:12-r2. The image version can be found in the service configuration (file /data/registry/node-active-config/docker-compose-czechidm-db.yml).

During the update installation, a new encryption key for backups is generated. This key is unique and can be used immediately. However, if you want to change it, you can do so by running the following command.

Backup encryption needs to be activated at the container level.

You can tell that a backup is encrypted by its file suffix. Unencrypted backups have the suffix .sql.gz, encrypted ones have suffix sql.gz.e. In order to recover data from an encrypted backup, you have to first decipher it after which you will have a regular unencrypted backup. This backup can be recovered using the process for recovering from unencrypted backups.

Encryption is done internally by the openssl program with parameters -aes-256-cbc, -salt, -pbkdf2. Any version of OpenSSL supporting these parameters can be used to decipher the backup.