> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cystack.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Data Backup

> Guide to configuring backup storage and backing up data

<Card>
  **Use Cases**

  * In the event of a hard drive failure or device theft, you can retrieve the latest data snapshot to minimize downtime and get employees back online quickly.
  * If data is encrypted by ransomware or files are maliciously deleted, clean data can be restored from previous backups, mitigating business impact.
  * When provisioning new devices or during employee transitions, critical data can be seamlessly transferred to the new hardware.
</Card>

To back up business data, users must first configure a storage repository. Currently supported repositories include AWS S3, with Google Drive support coming soon.

Follow the instructions below to configure your storage repository and initiate data backup.

***

## Backup via AWS S3 Storage

### AWS Configuration for CyStack Endpoint

* **Prerequisites:** Ensure you have an account with appropriate permissions for IAM and S3 services. Generate a security key and run the following command to configure AWS CLI credentials, enabling the CLI to interact with AWS services:

  ```bash theme={null}
  aws configure
  ```

* Replace the placeholders `[USER_NAME]`, `[REGION]`, `[ACCOUNT_ID]`, `[BUCKET_NAME]`, `[ROLE_NAME]`, and `[POLICY_NAME]` with your actual values.

#### 1. User

<Steps>
  <Step title="Create a new user:">
    ```bash theme={null}
    aws iam create-user --user-name [USER_NAME]
    ```
  </Step>

  <Step title="Create an access key for the user:">
    ```bash theme={null}
    aws iam create-access-key --user-name [USER_NAME]
    ```
  </Step>

  <Step title={<>Save the <code>AccessKeyId</code> and <code>SecretAccessKey</code> from the output:</>}>
    ```json theme={null}
    {
        "AccessKey": {
            "AccessKeyId": "AKIA...",
            "SecretAccessKey": "wJalrX...",
            ...
        }
    }
    ```
  </Step>

  <Step title="Verify user information:">
    ```bash theme={null}
    aws iam get-user --user-name [USER_NAME]
    ```
  </Step>

  <Step title="Save the user arn from the output:">
    ```json theme={null}
    {
        "User": {
            "Path": "/",
            "UserName": "[USER_NAME]",
            "UserId": "AIA...",
            "Arn": "arn:aws:iam::[ACCOUNT_ID]:user/[USER_NAME]",
            "CreateDate": "2025-04-22T04:30:31Z"
        }
    }
    ```
  </Step>
</Steps>

#### 2. Bucket

<Steps>
  <Step title="Create a new bucket:">
    ```bash theme={null}
    aws s3 mb s3://[BUCKET_NAME]
    ```
  </Step>

  <Step title="Enable versioning:">
    ```bash theme={null}
    aws s3api put-bucket-versioning --bucket [BUCKET_NAME] --versioning-configuration Status=Enabled
    ```
  </Step>

  <Step title={<>Create a file named <code>bucket-policy.json</code> with the following content:</>}>
    <Note>The AWS value is the <code>user ARN</code> value in the previous section.</Note>

    ```json theme={null}
    {
        "Version": "2012-10-17",
        "Id": "Policy1745394942216",
        "Statement": [
            {
                "Sid": "Stmt1745394940328",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::[ACCOUNT_ID]:user/[USER_NAME]"
                },
                "Action": [
                    "s3:ListBucket",
                    "s3:ListBucketVersions"
                ],
                "Resource": "arn:aws:s3:::[USER_NAME]"
            }
        ]
    }
    ```
  </Step>

  <Step title="Attach the policy to the bucket:">
    ```bash theme={null}
    aws s3api put-bucket-policy --bucket [BUCKET_NAME] --policy file://bucket-policy.json --region [REGION]
    ```
  </Step>
</Steps>

#### 3. Create Necessary Roles

<Steps>
  <Step title={<>Create a <code>trust-policy.json</code> file to allow the new user to assume a role:</>}>
    ```json theme={null}
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::[ACCOUNT_ID]:user/[USER_NAME]"
                },
                "Action": "sts:AssumeRole"
            }
        ]
    }
    ```
  </Step>

  <Step title={<>Create a role to invoke <code>AssumeRole</code>. This role will possess a minimal IAM policy, combined with a session policy for granular access control:</>}>
    <Tabs>
      <Tab title="Windows" icon="windows">
        ```bash theme={null}
        aws iam create-role ^
            --role-name [ROLE_NAME] ^
            --assume-role-policy-document file://trust-policy.json
        ```
      </Tab>

      <Tab title="Linux & macOS">
        ```bash theme={null}
        aws iam create-role \
            --role-name [ROLE_NAME] \
            --assume-role-policy-document file://trust-policy.json
        ```
      </Tab>
    </Tabs>
  </Step>

  <Step title={<>Create a <code>generic-backup-policy.json</code> file containing the following IAM policy:</>}>
    ```json theme={null}
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject",
                    "s3:GetObjectAttributes",
                    "s3:GetObjectVersion",
                    "s3:PutObject",
                    "s3:ListBucket"
                ],
                "Resource": [
                    "arn:aws:s3:::[BUCKET_NAME]",
                    "arn:aws:s3:::[BUCKET_NAME]/*"
                ]
            }
        ]
    }
    ```
  </Step>

  <Step title="Create and attach the policy:">
    <Tabs>
      <Tab title="Windows" icon="windows">
        ```bash theme={null}
        aws iam create-policy ^
            --policy-name [POLICY_NAME] ^
            --policy-document file://generic-backup-policy.json
        ```

        ```bash theme={null}
        aws iam attach-role-policy ^
            --role-name [ROLE_NAME] ^
            --policy-arn arn:aws:iam::[ACCOUNT_ID]:policy/[POLICY_NAME]
        ```
      </Tab>

      <Tab title="Linux & macOS">
        ```bash theme={null}
        aws iam create-policy \
            --policy-name [POLICY_NAME] \
            --policy-document file://generic-backup-policy.json
        ```

        ```bash theme={null}
        aws iam attach-role-policy \
            --role-name [ROLE_NAME] \
            --policy-arn arn:aws:iam::[ACCOUNT_ID]:policy/[POLICY_NAME]
        ```
      </Tab>
    </Tabs>
  </Step>

  <Step title={<>Create a <code>central-server-policy.json</code> file:</>}>
    ```json theme={null}
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Resource": "arn:aws:iam::[ACCOUNT_ID]:role/[ROLE_NAME]"
            }
        ]
    }
    ```
  </Step>

  <Step title={<>Attach the policy allowing the new user to invoke <code>AssumeRole</code> on <code>[ROLE_NAME]</code>:</>}>
    <Tabs>
      <Tab title="Windows" icon="windows">
        ```bash theme={null}
        aws iam put-user-policy ^
            --user-name [USER_NAME] ^
            --policy-name STSPolicy ^
            --policy-document file://central-server-policy.json
        ```
      </Tab>

      <Tab title="Linux & macOS">
        ```bash theme={null}
        aws iam put-user-policy \
            --user-name [USER_NAME] \
            --policy-name STSPolicy \
            --policy-document file://central-server-policy.json
        ```
      </Tab>
    </Tabs>
  </Step>
</Steps>

#### 4. Configure Connection from CyStack Endpoint to Storage Repository

<Steps>
  <Step title={<>In the CyStack Endpoint management dashboard, navigate to <strong>Data protection</strong> {'\u2192'} <strong>Backup settings</strong>.</>} />

  <Step title={<>In the "Backup storage" list, select <strong>S3 storage</strong>:</>}>
    <img src="https://mintcdn.com/cystack/NwFcT4Q52zfPNCn3/images/endpoint/en-s3-config-1.png?fit=max&auto=format&n=NwFcT4Q52zfPNCn3&q=85&s=3ae4960b1dd7ee222da1e25019fef6a6" alt="s3-config-1" style={{display: 'block', margin: '0 auto'}} width="1750" height="889" data-path="images/endpoint/en-s3-config-1.png" />
  </Step>

  <Step title={<>In the pop-up window, enter the configuration details obtained in the previous steps and click <code>Save</code>:</>}>
    <img src="https://mintcdn.com/cystack/NwFcT4Q52zfPNCn3/images/endpoint/en-s3-config-2.png?fit=max&auto=format&n=NwFcT4Q52zfPNCn3&q=85&s=93b751a853ddf97fe201596ee5155676" alt="s3-config-2" width="797" height="509" data-path="images/endpoint/en-s3-config-2.png" />
  </Step>

  <Step title={<>Once the connection is established, navigate to the <strong>Device</strong> tab. Select the checkbox for the target device(s) and click <code>Enable backup</code>:</>}>
    <img src="https://mintcdn.com/cystack/NwFcT4Q52zfPNCn3/images/endpoint/en-s3-config-3.png?fit=max&auto=format&n=NwFcT4Q52zfPNCn3&q=85&s=6386d84b01c2512a396bfecda2fb7b63" alt="s3-config-3" width="2048" height="1015" data-path="images/endpoint/en-s3-config-3.png" />
  </Step>
</Steps>

Data within the enterprise drives on selected devices will be automatically backed up every 6 hours. The backup process supports the following file types:
`.doc`, `.docx`, `.odt`, `.ott`, `.pages`, `.xls`, `.xlsx`, `.csv`, `.ods`, `.numbers`, `.pdf`, `.ppt`, `.pptx`, `.odp`, `.key`

***

## Data Recovery

In the event of device failure or data loss due to ransomware, business users can request the Workspace Owner or Administrator to restore their data. The Owner or Administrator should follow these steps to initiate recovery:

<Steps>
  <Step title={<>Click the <code>{'\u22EE'}</code> icon next to the target device and select <code>Manage snapshots</code>:</>}>
    <img src="https://mintcdn.com/cystack/NwFcT4Q52zfPNCn3/images/endpoint/en-restore-snapshots-access.png?fit=max&auto=format&n=NwFcT4Q52zfPNCn3&q=85&s=b106563411af3ac74324128d627850e5" alt="restore-snapshots-access" style={{display: 'block', margin: '0 auto'}} width="460" height="362" data-path="images/endpoint/en-restore-snapshots-access.png" />
  </Step>

  <Step title={<>In the "Manage snapshots" dialog, click the <code>Restore</code> button:</>}>
    <img src="https://mintcdn.com/cystack/NwFcT4Q52zfPNCn3/images/endpoint/en-restore-snapshots-manage.png?fit=max&auto=format&n=NwFcT4Q52zfPNCn3&q=85&s=9a85e4769f60133b8fbe219e24ea1bd4" alt="restore-snapshots-manage" style={{display: 'block', margin: '0 auto'}} width="1200" height="632" data-path="images/endpoint/en-restore-snapshots-manage.png" />
  </Step>

  <Step title={<>The system will prompt the end-user on the device to confirm the restoration request.</>} />

  <Step title={<>On the client device, the user must click <code>Confirm</code>:</>}>
    <img src="https://mintcdn.com/cystack/NwFcT4Q52zfPNCn3/images/endpoint/en-restore-client-confirmation.png?fit=max&auto=format&n=NwFcT4Q52zfPNCn3&q=85&s=3aec6759aac8bc0d8b96c914aa316c5d" alt="restore-client-confirmation" style={{display: 'block', margin: '0 auto'}} width="2048" height="1365" data-path="images/endpoint/en-restore-client-confirmation.png" />
  </Step>

  <Step title={<>In certain scenarios (specifically on Windows), the user may be required to enter the BitLocker key (previously saved) to decrypt data after restoration:</>}>
    <img src="https://mintcdn.com/cystack/NwFcT4Q52zfPNCn3/images/endpoint/en-restore-client-bitlocker.png?fit=max&auto=format&n=NwFcT4Q52zfPNCn3&q=85&s=cc3a0398ff0935d24ca62ec93dba2dbf" alt="restore-client-bitlocker" style={{display: 'block', margin: '0 auto'}} width="2048" height="1365" data-path="images/endpoint/en-restore-client-bitlocker.png" />
  </Step>

  <Step title={<>Upon successful restoration, the user will regain access to the data on the device drive.</>} />
</Steps>
