Backup & Restore

This guide covers what to back up, how to do it, how to restore from a backup, and how to automate backups in your environment. Regular backups are important before upgrades, when migrating an agent to new hardware, and as part of your standard disaster recovery plan.

What to Back Up

A complete KEPM backup has four components:

Policies

The primary concern for most deployments. This includes the policies/ folder, which contains any locally deployed policy files, and the currentPolicies.json export, which captures the full active preprocessed policy state including server-synced policies.

Configuration

The appsettings.json file, all plugin configuration files (Plugins/*.json), and all job configuration files (Jobs/*.json). These define how the agent behaves and should be preserved whenever you make a configuration change.

Storage

The KeeperStorage/ directory, which contains the agent's registration state, unified storage data, and plugin-specific state. Losing this directory means the agent will need to be re-registered after a restore.

Certificates

If you use custom certificates (as opposed to the default auto-generated self-signed certificates), include the certificate files or document which Windows Certificate Store entry corresponds to the KEPM certificate.

Backup Locations

Platform

Installation directory

Storage directory

Windows

C:\Program Files\Keeper Security\Endpoint Privilege Management\

...\KeeperStorage\

Linux

/opt/keeper/sbin/

/opt/keeper/sbin/KeeperStorage/

macOS

/Library/Keeper/sbin/

/Library/Keeper/sbin/KeeperStorage/

Taking a Manual Backup

Always stop the service before taking a filesystem backup to ensure storage files are in a consistent state.

Windows:

powershell

# Stop the service
Stop-Service -Name "KeeperPrivilegeManager"

# Back up the full installation directory
xcopy "C:\Program Files\Keeper Security\Endpoint Privilege Management" `
      "C:\Backup\KEPM\$(Get-Date -Format 'yyyyMMdd')" /E /I /H /Y

# Restart the service
Start-Service -Name "KeeperPrivilegeManager"

Linux:

bash

sudo systemctl stop keeper-privilege-manager
sudo tar -czf "/backup/keeper-backup-$(date +%Y%m%d).tar.gz" /opt/keeper/sbin/
sudo systemctl start keeper-privilege-manager

macOS:

bash

sudo launchctl stop com.keeper.privilegemanager
sudo tar -czf "$HOME/backup/keeper-backup-$(date +%Y%m%d).tar.gz" /Library/Keeper/sbin/
sudo launchctl start com.keeper.privilegemanager

Restoring from a Backup

Full restore (new machine or complete failure):

Install the same version of KEPM that produced the backup. Do not restore a backup onto a newer or older version without first consulting the upgrade guide.
Stop the service if it is running.
Restore the backup to the installation directory:

bash

# Linux example
sudo systemctl stop keeper-privilege-manager
sudo tar -xzf /backup/keeper-backup-YYYYMMDD.tar.gz -C /
sudo systemctl start keeper-privilege-manager

After the service starts, verify it is healthy:

bash

curl -sk https://localhost:6889/health
curl -sk https://localhost:6889/api/Keeper/registration

Confirm registration status is true and policies are loaded.

Policies only (restoring policy configuration without affecting registration):

Copy the policy JSON files into the policies/ folder.
The KeeperPolicy plugin detects file changes and automatically reloads policies — no service restart is required.
Verify the active policy state by checking currentPolicies.json or by observing policy behavior.

Configuration only:

Stop the service.
Replace the target configuration files.
Start the service.
Verify the affected plugins are running.

Automating Backups

Windows Task Scheduler:

powershell

$action = New-ScheduledTaskAction `
  -Execute "powershell.exe" `
  -Argument "-File C:\Scripts\backup-keeper.ps1"
$trigger = New-ScheduledTaskTrigger -Daily -At 2am
Register-ScheduledTask `
  -TaskName "KEPM-Daily-Backup" `
  -Action $action `
  -Trigger $trigger `
  -RunLevel Highest

Linux cron:

bash

# Add to root crontab: crontab -e
0 2 * * * /opt/scripts/backup-keeper.sh

Example Linux backup script:

bash

#!/bin/bash
BACKUP_DIR="/backup/keeper"
DATE=$(date +%Y%m%d)
KEEP_DAYS=30

# Create backup
systemctl stop keeper-privilege-manager
tar -czf "$BACKUP_DIR/keeper-backup-$DATE.tar.gz" /opt/keeper/sbin/
systemctl start keeper-privilege-manager

# Remove backups older than KEEP_DAYS
find "$BACKUP_DIR" -name "keeper-backup-*.tar.gz" -mtime +$KEEP_DAYS -delete

Disaster Recovery Checklist

Use this checklist when recovering KEPM on a new or rebuilt machine:

Install the same KEPM version as the backup
Restore the full backup archive to the installation path
Verify file ownership and permissions match the requirements in the Security Hardening guide
Start the service and confirm it reaches a healthy state
Confirm the agent is registered ("IsRegistered": true)
Confirm the KeeperAPI and KeeperPolicy plugins are Running
Confirm active policies are loaded (check currentPolicies.json)
Test policy evaluation on at least one controlled action
Document the recovery date and any differences from the original configuration

Test your recovery procedure quarterly. A backup that has never been tested is not a backup you can rely on.

PreviousAirgapped Support NextConfiguring the Approval Duration

Last updated 11 days ago