vaultsovereign/vm-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
009e93a80b3c58bbfaa2ceb153e3fba32a6efc3c
vm-skills/backup-sovereign/references/recovery_notes.md
Vault Sovereign eac77ef7b4 Initial commit: VaultMesh Skills collection 
Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00

2.9 KiB
Raw Blame History

Recovery Notes

Overview

This document describes recovery procedures for backup-sovereign backups.

Prerequisites

  • age installed (for decryption)
  • Access to AGE_IDENTITY_FILE (private key)
  • Sufficient disk space for extraction

Standard Recovery

1. Locate Backup

Find your encrypted backup:

ls ~/.claude/skills/backup-sovereign/outputs/runs/

2. Decrypt Archive

# Set identity file
export AGE_IDENTITY_FILE="$HOME/.config/age/identity.txt"

# Decrypt
age -d -i "$AGE_IDENTITY_FILE" \
    -o archive.tar.gz \
    archive.tar.gz.age

3. Extract

# Extract to current directory
tar -xzf archive.tar.gz

# Or extract to specific location
tar -xzf archive.tar.gz -C /path/to/restore/

4. Verify Integrity

Compare BLAKE3 hash with manifest:

# Compute hash of archive
b3sum archive.tar.gz

# Compare with value in manifest.json
cat manifest.json | grep blake3

Disaster Recovery

If you've lost access to your primary system:

  1. Obtain encrypted backup from off-site storage
  2. Obtain identity file from secure backup location
  3. Follow standard recovery steps above

Verify ROOT

To verify the backup hasn't been tampered with:

# Compute manifest hash
MANIFEST_B3=$(b3sum manifest.json | awk '{print $1}')

# Compute encrypted archive hash
ENC_B3=$(b3sum archive.tar.gz.age | awk '{print $1}')

# Compute ROOT
echo -n "${MANIFEST_B3}${ENC_B3}" | b3sum

# Compare with ROOT.txt
cat ROOT.txt

Key Management

age Keys

  • Identity file (private key): Keep secure, backed up separately
  • Recipients file (public key): Can be shared, used for encryption

Generate New Keys

If you need new keys:

# Generate identity
age-keygen -o ~/.config/age/identity.txt

# Extract public key
age-keygen -y ~/.config/age/identity.txt > ~/.config/age/recipients.txt

Key Rotation

  1. Generate new keypair
  2. Add new public key to recipients file
  3. Keep old identity file for decrypting old backups
  4. New backups will be encrypted to all recipients

Troubleshooting

"age: error: no identity matched any of the recipients"

  • Wrong identity file
  • Backup was encrypted with different key
  • Solution: Use correct identity file

"tar: Error opening archive"

  • Corrupted archive
  • Incomplete download
  • Solution: Verify BLAKE3 hash, re-download if needed

"b3sum: command not found"

  • Install b3sum: cargo install b3sum or use package manager
  • Alternative: Use blake3 CLI if available

Security Considerations

  1. Never store identity file with encrypted backups
  2. Use passphrase-protected identity for extra security
  3. Test restore drill regularly - backups that haven't been tested aren't backups
  4. Store backups off-site - same location defeats the purpose

References

Reference in New Issue View Git Blame Copy Permalink