vaultsovereign/vm-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eac77ef7b4b5a87f0a35a1181dacb4013b09b996
vm-skills/backup-sovereign/references/recovery_notes.md
Vault Sovereign eac77ef7b4 Initial commit: VaultMesh Skills collection 
Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00

136 lines
2.9 KiB
Markdown
Raw Blame History

# Recovery Notes
## Overview
This document describes recovery procedures for backup-sovereign backups.
## Prerequisites
- `age` installed (for decryption)
- Access to AGE_IDENTITY_FILE (private key)
- Sufficient disk space for extraction
## Standard Recovery
### 1. Locate Backup
Find your encrypted backup:
```bash
ls ~/.claude/skills/backup-sovereign/outputs/runs/
```
### 2. Decrypt Archive
```bash
# Set identity file
export AGE_IDENTITY_FILE="$HOME/.config/age/identity.txt"
# Decrypt
age -d -i "$AGE_IDENTITY_FILE" \
-o archive.tar.gz \
archive.tar.gz.age
```
### 3. Extract
```bash
# Extract to current directory
tar -xzf archive.tar.gz
# Or extract to specific location
tar -xzf archive.tar.gz -C /path/to/restore/
```
### 4. Verify Integrity
Compare BLAKE3 hash with manifest:
```bash
# Compute hash of archive
b3sum archive.tar.gz
# Compare with value in manifest.json
cat manifest.json | grep blake3
```
## Disaster Recovery
If you've lost access to your primary system:
1. **Obtain encrypted backup** from off-site storage
2. **Obtain identity file** from secure backup location
3. Follow standard recovery steps above
## Verify ROOT
To verify the backup hasn't been tampered with:
```bash
# Compute manifest hash
MANIFEST_B3=$(b3sum manifest.json | awk '{print $1}')
# Compute encrypted archive hash
ENC_B3=$(b3sum archive.tar.gz.age | awk '{print $1}')
# Compute ROOT
echo -n "${MANIFEST_B3}${ENC_B3}" | b3sum
# Compare with ROOT.txt
cat ROOT.txt
```
## Key Management
### age Keys
- **Identity file** (private key): Keep secure, backed up separately
- **Recipients file** (public key): Can be shared, used for encryption
### Generate New Keys
If you need new keys:
```bash
# Generate identity
age-keygen -o ~/.config/age/identity.txt
# Extract public key
age-keygen -y ~/.config/age/identity.txt > ~/.config/age/recipients.txt
```
### Key Rotation
1. Generate new keypair
2. Add new public key to recipients file
3. Keep old identity file for decrypting old backups
4. New backups will be encrypted to all recipients
## Troubleshooting
### "age: error: no identity matched any of the recipients"
- Wrong identity file
- Backup was encrypted with different key
- Solution: Use correct identity file
### "tar: Error opening archive"
- Corrupted archive
- Incomplete download
- Solution: Verify BLAKE3 hash, re-download if needed
### "b3sum: command not found"
- Install b3sum: `cargo install b3sum` or use package manager
- Alternative: Use `blake3` CLI if available
## Security Considerations
1. **Never store identity file with encrypted backups**
2. **Use passphrase-protected identity** for extra security
3. **Test restore drill regularly** - backups that haven't been tested aren't backups
4. **Store backups off-site** - same location defeats the purpose
## References
- [age encryption](https://age-encryption.org/)
- [BLAKE3 hash](https://github.com/BLAKE3-team/BLAKE3)
Reference in New Issue View Git Blame Copy Permalink