Safeguard 11 - Data Recovery
11.1 - Establish and Maintain a Data Recovery process
A data recovery process should address what data needs to be backed up, where it should be backed up to, and how often it should be backed up based upon business needs. The process should be sufficient to restore university data that has been lost, accidentally deleted, corrupted, or otherwise made inaccessible. It must also adhere to all university record retention requirements, wherever applicable. Refer to Safeguard 3.4 for more information.
- Virginia Tech has a contract with CrashPlan for Data Recovery and recommends the use of this service.
- Virginia Tech has services through OneDrive which can be utilized for backups and recovery.
- Data can also be backed up yourself using restic.
In some cases databases require additional tools to export data in a format suitable for backing up. Below is a non-exhaustive list of some applications. If you need help with an application you wish to back up that is not covered here, please contact the Virginia Tech IT Security Office at email@example.com.
- PostgreSQL -
pg_dumpallto create a backup,
- MySQL -
mysqldumpto create a backup,
- SQLite -
sqlite3to create and restore backup files, see the
- Mongodb -
mongodumpto create a backup,
11.2 - Perform Automated Backups
Make sure backups are done weekly. Below are the instructions on how to use Restic with Linux. However, backing up and restoring files on a Windows or macOS client is almost identical to the procedures on Linux, with the main difference being the installation.
Initialize a Repository
After installation, you’ll need to prepare a repository, which is the location your backups will be saved to. Below are a few common repository locations; consult the restic documentation if you require a different location or further information.
To create a repository at the location
/srv/backup, run the following command.
$ restic init --repo /srv/backup
You will be prompted to enter a password for the repository, so create a password that is unique and secure. Restic will prompt you to re-enter the password to confirm.
$ restic init --repo /srv/backup
enter password for new repository:
enter password again:
created restic repository 4ff40f86d1 at /srv/backup
Please note that knowledge of your password is required to access
the repository. Losing your password means that your data is
Keep your password safe. If you lose your repository password, you lose access to your repository and the data in it.
To back up data via SFTP, you’ll need a server with SSH and set up SSH key authentication. This is done by copying your public key to the remote server.
username with your username on the remote server and
remote-server with the server address.
$ ssh-copy-id username@remote-server
Then, to create a repository at the location
/srv/backup on the remote server, run the following command.
$ restic init --repo sftp:username@remote-server:/srv/backup
To back up data to an Amazon S3 bucket, first create the bucket on AWS and set up the following environment variables with the credentials obtained.
$ export AWS_ACCESS_KEY_ID=<MY_ACCESS_KEY>
$ export AWS_SECRET_ACCESS_KEY=<MY_SECRET_ACCESS_KEY>
Then, to create a repository at the bucket named
backup, run the following command.
$ restic init --repo s3:s3.amazonaws.com/backup
If the bucket does not exist it will be created at the default location.
Back Up Files
To back up files, run the following command and enter the repository password when prompted.
$ restic backup <file_location> --repo <repository>
Backing up the
Documents directory in your home folder to a restic repository called
/srv/backup looks like the following.
$ restic backup ~/Documents --repo /srv/backup
The string of numbers and letters after
snapshot is the snapshot ID to use when restoring a backup.
Restore a Backup
To restore a backup, first display the list of available snapshots.
$ restic --repo <repository> snapshots
Once you’ve identified the snapshot ID to restore, run the following command, specifying the
<target-location> as where the files are restored to.
$ restic --repo <repository> restore <snapshot ID> --target <target-location>
Alternatively, restore the latest backup using the keyword
$ restic --repo <repository> restore latest --target <target-location>
To restore only a subset of files (
/etc in this example), pass the
$ restic --repo <repository> restore latest --target <target-location> --include /etc
Consult the restic documentation for more information.
Restoring the snapshot created in the previous example to the location
tmp/restore-work looks like the following.
$ restic -r /srv/restic-repo restore 09ea62f2 --target /tmp/restore-work
enter password for repository:
restoring <Snapshot of [/home/user/Documents] at 2015-05-08 21:40:19.884408621 +0200 CEST> to /tmp/restore-work
11.3 - Protect Recovery Data
Ensure you have a password and/or other protections in place for your backed up data. If you are using restic, consider encryption.
11.4 - Establish and Maintain an Isolated Instance of Recovery Data
DO NOT store your backed up data to the same device/application as the original data.
11.5 - Test Data Recovery
Test backed up data quarterly. If you are using restic see Integrity and Consistency in the documentation.
If you have questions that are not covered in these procedures, please contact the VT IT Security Office firstname.lastname@example.org for a consultation.