Configuration
Backups can be downloaded manually in WebAdmin menu System / Backup or uploaded automatically to a remote backup server on a daily base.
- Backups can only be restored on a system with the same major version,
excluding the patchlevel version.
For example: The system is on version21.0.21004 (p21280), any backup created with version21.0.21004can be imported, no matter the patchlevel version - Backups which were created while or before a hardware failure could be inconsistent and should therefore not be used.
Creating regular backups is part of operating the IACBOX securely.
Content of a backup
Following data will be saved with the backup file:
- All settings made in WebAdmin
- Tickets
- Ticket-Templates
- Login pages and themes incl. custom extensions and custom translations
- License information
Creating a Backup
A backup can be created in the WebAdmin menu System / Backup. Click on download to create and save a backup file to the local computer. The filename contains the registration number, version, date and time of creation.
For example: YOUR_SYSTEM_2022012509_20220812155027_V21.0.21004.bkp
Encrypted Backups
Automated backups can be encrypted to store them safely on untrusted storages.
Encrypting backups also ensures GDPR conformity as they contain PII (Personally Identifiable Information).
Choose one of these modes:
| Mode | File extension | Description |
|---|---|---|
| No encryption | xxxx.bkp | Unencrypted backup. Everyone with access to this file can extract it. |
| Encrypt with License | xxxx.bkp.li.enc | The final encryption key is derived with a secure KDF (key deriving function) from license data. This keeps away the burden of storing the key externally and our support will always be able to help. |
| Encrypt with custom key | xxxx.bkp.ck.enc | If 100% control over the key is required, a custom key can be set. Note that it’s within your responsibility to store this key externally. If this key is lost, the backup cannot be restored anymore. |
Cryptographic properties
A modern and highly secure AEAD cipher is used (XChaCha20/Poly1305) with a 256bit key. It offers roughly the same level of security as an AES-256-GCM cipher but does not depend on CPU support to be fast. This cipher is nowadays also the default of SSH connections and one of the 5 cipher suites of TLS 1.3.
Restore a Backup
To restore a backup open the WebAdmin menu and navigate to System / Backup. Click Restore and browse for the backup-file on the local computer, then hit start.
- Please note that the major version of the backup and the target system must match.
- Perform system updates right afterwards, otherwise data can be inconsistent.
Restore on different hardware / new VM
Beginning with v24 the dependency on the systems MAC address was removed. No further unlocking is needed.
Restore encrypted Backups
To restore an encrypted backup choose the used encryption mode.
- Encrypted with license: Enter registration number and key
- Encrypted with custom key: Enter the custom secret key
If an encrypted backup needs to be restored on a clean v21.0 installation it is first necessary to license and update the IACBOX to get the possibility to restore the encrypted backup.
Partial Backup Restore
Instead of restoring a complete backup it is possible to restore only parts of a backup.
3 new checkboxes have been added to:
- Keep Network Settings
- Keep License
- Restore Config only
One or more of these options can be chosen to fine tune the backup restoration process.
Keep Network Settings, similar to Keep License, will restore a backup while keeping the current Network Settings and/or License data respectively. Restore Config only will restore all of the configuration contained within the backup but none of the emergent data. This will effectively get rid of all previously created Tickets as well as data related to them (Application Control Statistics, Device Logs).
Automatic remote backup
On the tab Remote Backup the automated, daily backup can be set up. Choose the backend type and enter all necessary credentials and settings for the wanted backup service. Immediatly after saving, a connection will be established and reports back if it worked. A click on Start Remote Backup manually triggers a remote backup to verify that everything works just fine. After the backup has been sent the file listing should show the backup.
- Having configured a weekly restart in System / Services, the restart will be delayed until the automatic backup has finished on that day.
- It’s suggested to set the automatic backup to a time at which there is low user activity on the system.
Optional backup content
These parts are optional because they only contain historic data which is not needed to restore a system and these logs can get quite big. If encryption is enabled this files are encrypted too.
- Connection tracking: All TCP and UDP connections with time, source and destination ip+port and volume
- Application Control logs: Historic data of applications used (max 14 days). This option is only visible when the Application Control module is licensed and active.
Supported protocols
| Protocol | Security | Description |
|---|---|---|
| FTP | Insecure | Plain unencrypted FTP. Use this protocol only in the local network or over tunnels. |
| FTPS | TLS | FTP over TLS. Secured FTP with the disadvantage of having to manage a TLS certificate for the FTPS server. Self-signed certificates are possibe with a disabled certificate validation which gives a secure but untrusted connection. |
| SFTP | SSH | SSH based file transfer protocol (do not confuse this with FTP* protocols) allows to have a secure and simple backup transport. A server with openssh installed suppports this out-of-the-box. |
| S3 | HTTPS | S3 (Simple Storage Service) invented by Amazon/AWS is now a well supported storage protocol. It’s also supported by many other cloud providers and works with local NAS or self hosted S3 apps like MinIO. S3 can be treated like any other HTTPS traffic and is based on established TLS security with x509 certificates. |