# Backup & Restore

This guide covers what to back up, how to do it, how to restore from a backup, and how to automate backups in your environment. Regular backups are important before upgrades, when migrating an agent to new hardware, and as part of your standard disaster recovery plan.

## What to Back Up

A complete KEPM backup has four components:

{% stepper %}
{% step %}
**Policies**

The primary concern for most deployments. This includes the `policies/` folder, which contains any locally deployed policy files, and the `currentPolicies.json` export, which captures the full active preprocessed policy state including server-synced policies.
{% endstep %}

{% step %}
**Configuration**

The `appsettings.json` file, all plugin configuration files (`Plugins/*.json`), and all job configuration files (`Jobs/*.json`). These define how the agent behaves and should be preserved whenever you make a configuration change.
{% endstep %}

{% step %}
**Storage**

The `KeeperStorage/` directory, which contains the agent's registration state, unified storage data, and plugin-specific state. Losing this directory means the agent will need to be re-registered after a restore.
{% endstep %}

{% step %}
**Certificates**

If you use custom certificates (as opposed to the default auto-generated self-signed certificates), include the certificate files or document which Windows Certificate Store entry corresponds to the KEPM certificate.
{% endstep %}
{% endstepper %}

## Backup Locations

<table data-header-hidden="false" data-header-sticky><thead><tr><th width="119.66668701171875">Platform</th><th width="302.6666259765625">Installation directory</th><th>Storage directory</th></tr></thead><tbody><tr><td>Windows</td><td><code>C:\Program Files\Keeper Security\Endpoint Privilege Management\</code></td><td><code>...\KeeperStorage\</code></td></tr><tr><td>Linux</td><td><code>/opt/keeper/sbin/</code></td><td><code>/opt/keeper/sbin/KeeperStorage/</code></td></tr><tr><td>macOS</td><td><code>/Library/Keeper/sbin/</code></td><td><code>/Library/Keeper/sbin/KeeperStorage/</code></td></tr></tbody></table>

## Taking a Manual Backup

Always stop the service before taking a filesystem backup to ensure storage files are in a consistent state.

### **Windows:**

powershell

```powershell
# Stop the service
Stop-Service -Name "KeeperPrivilegeManager"

# Back up the full installation directory
xcopy "C:\Program Files\Keeper Security\Endpoint Privilege Management" `
      "C:\Backup\KEPM\$(Get-Date -Format 'yyyyMMdd')" /E /I /H /Y

# Restart the service
Start-Service -Name "KeeperPrivilegeManager"
```

### **Linux:**

bash

```bash
sudo systemctl stop keeper-privilege-manager
sudo tar -czf "/backup/keeper-backup-$(date +%Y%m%d).tar.gz" /opt/keeper/sbin/
sudo systemctl start keeper-privilege-manager
```

### **macOS:**

bash

```bash
sudo launchctl stop com.keeper.privilegemanager
sudo tar -czf "$HOME/backup/keeper-backup-$(date +%Y%m%d).tar.gz" /Library/Keeper/sbin/
sudo launchctl start com.keeper.privilegemanager
```

## Restoring from a Backup

#### **Full restore (new machine or complete failure):**

1. Install the same version of KEPM that produced the backup. Do not restore a backup onto a newer or older version without first consulting the upgrade guide.
2. Stop the service if it is running.
3. Restore the backup to the installation directory:

bash

```bash
# Linux example
sudo systemctl stop keeper-privilege-manager
sudo tar -xzf /backup/keeper-backup-YYYYMMDD.tar.gz -C /
sudo systemctl start keeper-privilege-manager
```

4. After the service starts, verify it is healthy:

bash

```bash
curl -sk https://localhost:6889/health
curl -sk https://localhost:6889/api/Keeper/registration
```

5. Confirm registration status is `true` and policies are loaded.

#### **Policies only (restoring policy configuration without affecting registration):**

1. Copy the policy JSON files into the `policies/` folder.
2. The KeeperPolicy plugin detects file changes and automatically reloads policies — no service restart is required.
3. Verify the active policy state by checking `currentPolicies.json` or by observing policy behavior.

#### **Configuration only:**

1. Stop the service.
2. Replace the target configuration files.
3. Start the service.
4. Verify the affected plugins are running.

## Automating Backups

### **Windows Task Scheduler:**

powershell

```powershell
$action = New-ScheduledTaskAction `
  -Execute "powershell.exe" `
  -Argument "-File C:\Scripts\backup-keeper.ps1"
$trigger = New-ScheduledTaskTrigger -Daily -At 2am
Register-ScheduledTask `
  -TaskName "KEPM-Daily-Backup" `
  -Action $action `
  -Trigger $trigger `
  -RunLevel Highest
```

### **Linux cron:**

bash

```bash
# Add to root crontab: crontab -e
0 2 * * * /opt/scripts/backup-keeper.sh
```

#### **Example Linux backup script:**

bash

```bash
#!/bin/bash
BACKUP_DIR="/backup/keeper"
DATE=$(date +%Y%m%d)
KEEP_DAYS=30

# Create backup
systemctl stop keeper-privilege-manager
tar -czf "$BACKUP_DIR/keeper-backup-$DATE.tar.gz" /opt/keeper/sbin/
systemctl start keeper-privilege-manager

# Remove backups older than KEEP_DAYS
find "$BACKUP_DIR" -name "keeper-backup-*.tar.gz" -mtime +$KEEP_DAYS -delete
```

***

## Disaster Recovery Checklist

Use this checklist when recovering KEPM on a new or rebuilt machine:

* [ ] Install the same KEPM version as the backup
* [ ] Restore the full backup archive to the installation path
* [ ] Verify file ownership and permissions match the requirements in the [Security Hardening](/keeperpam/endpoint-privilege-manager/user-guides/security-hardening.md) guide
* [ ] Start the service and confirm it reaches a healthy state
* [ ] Confirm the agent is registered (`"IsRegistered": true`)
* [ ] Confirm the KeeperAPI and KeeperPolicy plugins are Running
* [ ] Confirm active policies are loaded (check `currentPolicies.json`)
* [ ] Test policy evaluation on at least one controlled action
* [ ] Document the recovery date and any differences from the original configuration

**Test your recovery procedure quarterly.** A backup that has never been tested is not a backup you can rely on.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/user-guides/backup-and-restore.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
Platform	Installation directory	Storage directory
Windows	`C:\Program Files\Keeper Security\Endpoint Privilege Management\`	`...\KeeperStorage\`
Linux	`/opt/keeper/sbin/`	`/opt/keeper/sbin/KeeperStorage/`
macOS	`/Library/Keeper/sbin/`	`/Library/Keeper/sbin/KeeperStorage/`