Skip to content
For Self-Managed AI Platform users running v11.1, see the on-premise platform documentation
Self-managed installation and maintenance > Backup and restore > Back up procedure > Back up secrets

Back up secrets

DataRobot encrypts sensitive data at rest and secures backend services with passwords. When backing up a DataRobot cluster, you must also back up the secrets used to secure the DataRobot environment. These secrets must be backed up at the same time as the databases.

If these files and directories aren't backed up and restored as part of the DataRobot cluster, you may lose access to data and analytics stored in the DataRobot environment.

Important

These secrets can't be recovered by DataRobot—it's critical that they're secured as part of your data management policy.

Back up DataRobot platform secrets

Note

You must fulfill the prerequisites before proceeding.

DataRobot platform secrets include authentication and connection data used by various internal platform services. This includes connection details to persistent critical services, such as MongoDB, PostgreSQL, RabbitMQ, and Elasticsearch.

The following command retrieves all secrets with the label app.kubernetes.io/instance=dr and saves the data as JSON files (one file per secret, named after the secret):

mkdir -p ${BACKUP_LOCATION}/secrets/dr
for secret in $(kubectl -n $NAMESPACE get secrets -l app.kubernetes.io/instance=dr -o name); do
  kubectl -n "$NAMESPACE" get "$secret" -o json | jq '{data}' > "${BACKUP_LOCATION}/secrets/dr/${secret#*/}.json"
done

Back up encryption keys

While encryption keys are included in the general secrets backup above, DataRobot recommends creating dedicated backups for these critical keys for MongoDB data decryption.

Back up MongoDB encryption keys

mkdir -p ${BACKUP_LOCATION}/secrets
kubectl -n $NAMESPACE get secret/core-credentials -o jsonpath="{.data.asymmetrickey}" \
| base64 -d > ${BACKUP_LOCATION}/secrets/ASYMMETRIC_KEY_PAIR_MONGO_ENCRYPTION_KEY.txt
kubectl -n $NAMESPACE get secret/core-credentials -o jsonpath="{.data.drsecurekey}" \
| base64 -d > ${BACKUP_LOCATION}/secrets/DRSECURE_MONGO_ENCRYPTION_KEY.txt

Back up persistent critical services secrets

Note

This step is required for installations on 9.x through 10.x.

The following command retrieves all secrets with the label app.kubernetes.io/instance=pcs and saves the data in JSON files:

mkdir -p ${BACKUP_LOCATION}/secrets/pcs
for secret in $(kubectl -n $NAMESPACE get secrets -l app.kubernetes.io/instance=pcs -o name); do
  kubectl -n "$NAMESPACE" get "$secret" -o json | jq '{data}' > "${BACKUP_LOCATION}/secrets/pcs/${secret#*/}.json"
done