Re: [knot-dns-users] Backing up keys

Thanks for your reply. I am trying to address the case in which an HSM is used. My guess is that, in such a case, the best that one can do using the Knot framework itself is to back up the KASP (which contains public keys and zone metadata, but no private keys) while relying on some external, HSM-dependent mechanism to back up (and restore, as needed) the matching private keys. Is this a correct assessment of things? If I understood you correctly, the backup command that you mention would work (in 3.1) when using the default cryptographic provider alone - i.e. not with SoftHSM, or any actual HSM. Right? On Wed, Aug 11, 2021 at 5:07 PM David Vasek <david.vasek(a)nic.cz> wrote: > Hello Luveh, > > this will backup the KASP DB and all private keys, unless they are > stored in a HSM, and nothing else: > > knotc zone-backup +backupdir your_backup_directory +kaspdb > +nozonefile > +nojournal +notimers +nocatalog > > The details are described here: > https://www.knot-dns.cz/docs/3.1/html/man_knotc.html > This is new in 3.1, in previous versions, KASP DB and private keys > couldn't be backed up separately without the other data. Please > don't > forget that the keys are stored in plain in the backup, i.e. in the > same > way as Knot stores them in its repository. > > Regards, > David > > On 2021-08-11 21:39, Luveh Keraph wrote: >> According to the documentation, one can back up the KASP using the >> mdb_dump command. Now I understand things correctly, this will > just >> back up the public component of key pairs, plus some metadata for > the >> zones the public keys are associated with. >> >> Are there any provisions in Knot concerning the backing up of the >> private components of key pairs, or is this something that must be >> done separately and within the context of whatever cryptographic >> provider is used?