Thanks for your reply. I am trying to address the case in which an HSM is used. My guess is that, in such a case, the best that one can do using the Knot framework itself is to back up the KASP (which contains public keys and zone metadata, but no private keys) while relying on some external, HSM-dependent mechanism to back up (and restore, as needed) the matching private keys. Is this a correct assessment of things?

If I understood you correctly, the backup command that you mention would work (in 3.1) when using the default cryptographic provider alone - i.e. not with SoftHSM, or any actual HSM. Right?

On Wed, Aug 11, 2021 at 5:07 PM David Vasek <david.vasek@nic.cz> wrote:

Hello Luveh,

this will backup the KASP DB and all private keys, unless they are
stored in a HSM, and nothing else:

knotc zone-backup +backupdir your_backup_directory +kaspdb +nozonefile
+nojournal +notimers +nocatalog

The details are described here:
https://www.knot-dns.cz/docs/3.1/html/man_knotc.html
This is new in 3.1, in previous versions, KASP DB and private keys
couldn't be backed up separately without the other data. Please don't
forget that the keys are stored in plain in the backup, i.e. in the same
way as Knot stores them in its repository.

Regards,
David

On 2021-08-11 21:39, Luveh Keraph wrote:
> According to the documentation, one can back up the KASP using the
> mdb_dump command. Now I understand things correctly, this will just
> back up the public component of key pairs, plus some metadata for the
> zones the public keys are associated with.
>
> Are there any provisions in Knot concerning the backing up of the
> private components of key pairs, or is this something that must be
> done separately and within the context of whatever cryptographic
> provider is used?