search
Ctrlk

Backup & Restore

This guide covers what to back up, how to do it, how to restore from a backup, and how to automate backups in your environment. Regular backups are important before upgrades, when migrating an agent to new hardware, and as part of your standard disaster recovery plan.

hashtag
What to Back Up

A complete KEPM backup has four components:

1

Policies

The primary concern for most deployments. This includes the policies/ folder, which contains any locally deployed policy files, and the currentPolicies.json export, which captures the full active preprocessed policy state including server-synced policies.

2

Configuration

The appsettings.json file, all plugin configuration files (Plugins/*.json), and all job configuration files (Jobs/*.json). These define how the agent behaves and should be preserved whenever you make a configuration change.

3

Storage

The KeeperStorage/ directory, which contains the agent's registration state, unified storage data, and plugin-specific state. Losing this directory means the agent will need to be re-registered after a restore.

4

Certificates

If you use custom certificates (as opposed to the default auto-generated self-signed certificates), include the certificate files or document which Windows Certificate Store entry corresponds to the KEPM certificate.

hashtag
Backup Locations

Platform
Installation directory
Storage directory

Windows

C:\Program Files\Keeper Security\Endpoint Privilege Management\

...\KeeperStorage\

Linux

/opt/keeper/sbin/

/opt/keeper/sbin/KeeperStorage/

macOS

/Library/Keeper/sbin/

/Library/Keeper/sbin/KeeperStorage/

hashtag
Taking a Manual Backup

Always stop the service before taking a filesystem backup to ensure storage files are in a consistent state.

hashtag
Windows:

powershell

# Stop the service
Stop-Service -Name "KeeperPrivilegeManager"

# Back up the full installation directory
xcopy "C:\Program Files\Keeper Security\Endpoint Privilege Management" `
      "C:\Backup\KEPM\$(Get-Date -Format 'yyyyMMdd')" /E /I /H /Y

# Restart the service
Start-Service -Name "KeeperPrivilegeManager"

hashtag
Linux:

bash

hashtag
macOS:

bash

hashtag
Restoring from a Backup

hashtag
Full restore (new machine or complete failure):

  1. Install the same version of KEPM that produced the backup. Do not restore a backup onto a newer or older version without first consulting the upgrade guide.

  2. Stop the service if it is running.

  3. Restore the backup to the installation directory:

bash

  1. After the service starts, verify it is healthy:

bash

  1. Confirm registration status is true and policies are loaded.

hashtag
Policies only (restoring policy configuration without affecting registration):

  1. Copy the policy JSON files into the policies/ folder.

  2. The KeeperPolicy plugin detects file changes and automatically reloads policies — no service restart is required.

  3. Verify the active policy state by checking currentPolicies.json or by observing policy behavior.

hashtag
Configuration only:

  1. Stop the service.

  2. Replace the target configuration files.

  3. Start the service.

  4. Verify the affected plugins are running.

hashtag
Automating Backups

hashtag
Windows Task Scheduler:

powershell

hashtag
Linux cron:

bash

hashtag
Example Linux backup script:

bash

hashtag
Disaster Recovery Checklist

Use this checklist when recovering KEPM on a new or rebuilt machine:

Test your recovery procedure quarterly. A backup that has never been tested is not a backup you can rely on.

PreviousAirgapped SupportNextConfiguring the Approval Duration

Last updated

Was this helpful?