Backing up a from source Passbolt installation
Prerequisites
Making regular backups is a critical aspect of managing a passbolt instance. Because passbolt stores important information, it is equally important to have a backup strategy in place.
As a passbolt administrator it is your responsibility to define how often and when to perform backups. Please automate and customize this process to match the needs and policies of your organization.
Here are some best practices to keep in mind:
- Ensure that the backups are taken at intervals that match your usage
- Take these backups off-site, or to another environment than the live one
- Make sure the backup is encrypted and stored in a safe location
- Practice drills and test the backups to make sure they work
What to backup?
If you are a PRO user, ensure you have a backup of your subscription key.
There are also several elements you need to backup:
1. The database
We made a dedicated command in order to make a backup of the database, it uses mysqldump but we recommend to use the passbolt command as it has been made to avoid any pasting or logins details errors.
Replace WEB_SERVER_USER with the correct one. Depending on your OS, it could be nginx, www-data, etc.
sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt mysql_export" WEB_SERVER_USER
2. The server public and private keys
The GPG server keys are stored under /etc/passbolt/gpg/ folder:
- private key is serverkey_private.asc
- public key is serverkey.asc
Another method is to export it using GnuPG. You can use the email attached to your keys to identify them or use the fingerprint. In order to find the fingerprint if you do not know the email attached to your keys:
sudo -H -u www-data /bin/bash -c "gpg --list-keys"
If you know the email attached to your keys you can use it to export your keys as follows:
sudo -H -u www-data /bin/bash -c "gpg --export-secret-keys <identifier> > /var/www/passbolt/config/gpg/private.asc" www-data
sudo -H -u www-data /bin/bash -c "gpg --export <identifier> > /var/www/passbolt/config/gpg/public.asc" www-data
Where can be the key fingerprint or the email associated with the key you want to export.
Be sure to remove the expiration time before importing the keys at backup restore. While restoring the backup, the imported keys cannot have an expiry date.
3. The application configuration
Passbolt configuration file is located in config/passbolt.php.
4. The avatars
User's avatars are no longer stored on disk but on the avatars table of passbolt database.
Back up webroot/img/public to avoid losing the profile images.
sudo tar cvfzp passbolt-avatars.tar.gz -C /var/www/passbolt/ webroot/img/avatar
Backup list
At the end of the backup process you should have:
- a dump of your database
- the server public and private GPG keys
- a copy of your config/passbolt.php configuration file
- a copy of your avatar folder (only if Passbolt version < 3.2)
Migrate the back-up to the new server
We will still consider that the backup files are in your user home directory ~/backup
On the original server
Use a tool such as tar to compress the backup directory
tar -cvzf /home/backup.tar.gz /home/backup
You should copy the compressed backup file to the new server. Use a tool such as scp to do it
scp /home/backup.tar.gz
new_server_username@server_ip:/home
On the new server
The compressed backup file should appears inside your home directory, we will extract using a tool such as tar
tar -xzvf /home/backup.tar.gz -C /home/backup
The uncompressed backup file are now available inside your home directory.
What about the secret keys of my collaborators?
Every user private key should also be backed up, this is however not something we/you can automate easily for now (passbolt might provide a functionality for this in the future). We believe it is best if this is the responsibility of the end user. There is a dedicated step during the extension setup to that purpose.
As an administrator you should stress the importance of backing up secret keys to other users. For example this warning could be part of the initial information message sent to introduce passbolt to new users.
It is possible that having users back up their own keys may not be realistic or desirable in your case. In this case you can opt in for an alternative strategy such as setting up the account with/for them and taking a backup of the secret keys then. In the worst case scenario you could automate the process by installing a script on your users machine that would make that backup for you.