Backup
Chapter 42: Backup & Recovery
Section titled “Chapter 42: Backup & Recovery”Overview
Section titled “Overview”Data backup and recovery is a critical aspect of blockchain node operations. Proper backup strategies protect against data loss due to hardware failures, software bugs, human error, or security incidents. This chapter provides comprehensive guidance on what to backup, how to backup, and how to recover from various failure scenarios.
42.1 What to Backup
Section titled “42.1 What to Backup”Backup Priority Matrix
Section titled “Backup Priority Matrix”┌─────────────────────────────────────────────────────────────┐│ BACKUP PRIORITY MATRIX │├─────────────────────────────────────────────────────────────┤│ ││ CRITICAL (Must Backup): ││ ┌─────────────────────────────────────────────────────┐ ││ │ • Keystore files (private keys) │ ││ │ • Validator keys │ ││ │ • Mnemonic phrases │ ││ │ • Node private key │ ││ └─────────────────────────────────────────────────────┘ ││ ││ HIGH (Should Backup): ││ ┌─────────────────────────────────────────────────────┐ ││ │ • Configuration files │ ││ │ • JWT secret (for CL-EL communication) │ ││ │ • BLS keys (Ethereum 2) │ ││ │ • Database (if practical) │ ││ └─────────────────────────────────────────────────────┘ ││ ││ MEDIUM (Nice to Have): ││ ┌─────────────────────────────────────────────────────┐ ││ │ • Historical blockchain data │ ││ │ • Snapshots │ ││ │ • State data │ ││ └─────────────────────────────────────────────────────┘ ││ ││ LOW (Not Needed): ││ ┌─────────────────────────────────────────────────────┐ ││ │ • Peer connections │ ││ │ • Cache data │ ││ │ • Log files │ ││ └─────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────┘Ethereum Backup Checklist
Section titled “Ethereum Backup Checklist”| Data | Priority | Size | Backup Method |
|---|---|---|---|
| Keystore | Critical | < 1 MB | Encrypted, multiple copies |
| Validator Keys | Critical | < 1 MB | Hardware wallet + encrypted |
| nodekey | High | 32 bytes | Single encrypted copy |
| JWT Secret | High | 32 bytes | Same as validator |
| Config Files | High | < 1 MB | Version control |
| Database | Medium | 1-12 TB | Incremental, offsite |
42.2 Backup Commands
Section titled “42.2 Backup Commands”Ethereum Key Backup
Section titled “Ethereum Key Backup”# Create backup directorymkdir -p /backup/ethereum/$(date +%Y%m%d)BACKUP_DIR="/backup/ethereum/$(date +%Y%m%d)"
# Backup keystore (CRITICAL)tar -czf $BACKUP_DIR/keystore.tar.gz -C /data/ethereum/ keystore/
# Backup node keycp /data/ethereum/geth/nodekey $BACKUP_DIR/nodekey
# Backup JWT secretcp /data/ethereum/geth/jwtsecret $BACKUP_DIR/jwtsecret
# Backup configurationtar -czf $BACKUP_DIR/config.tar.gz -C /data/ethereum/ geth/
# Verify backupls -la $BACKUP_DIR/
# Encrypt critical backupgpg --symmetric --cipher-algo AES256 $BACKUP_DIR/keystore.tar.gzgpg --symmetric --cipher-algo AES256 $BACKUP_DIR/nodekeyAutomated Backup Script
Section titled “Automated Backup Script”#!/bin/bash# ConfigurationBACKUP_DIR="/backup/ethereum"SOURCE_DATA="/data/ethereum"DATE=$(date +%Y%m%d_%H%M%S)RETENTION_DAYS=30
# Create timestamped backupmkdir -p $BACKUP_DIR/$DATE
echo "=== Starting Backup: $DATE ==="
# 1. Backup keystore (critical)echo "Backing up keystore..."tar -czf $BACKUP_DIR/$DATE/keystore.tar.gz \ -C $SOURCE_DATA keystore/
# 2. Backup node keyecho "Backing up node key..."if [ -f "$SOURCE_DATA/geth/nodekey" ]; then cp $SOURCE_DATA/geth/nodekey $BACKUP_DIR/$DATE/nodekeyfi
# 3. Backup JWT secretecho "Backing up JWT secret..."if [ -f "$SOURCE_DATA/geth/jwtsecret" ]; then cp $SOURCE_DATA/geth/jwtsecret $BACKUP_DIR/$DATE/jwtsecretfi
# 4. Backup configurationecho "Backing up configuration..."tar -czf $BACKUP_DIR/$DATE/config.tar.gz \ -C $SOURCE_DATA geth/config.toml
# 5. Verifyecho "Verifying backup..."for file in $BACKUP_DIR/$DATE/*; do if [ -f "$file" ]; then SIZE=$(du -h "$file" | cut -f1) echo " ✓ $file ($SIZE)" fidone
# 6. Clean old backupsecho "Cleaning old backups..."find $BACKUP_DIR -type d -mtime +$RETENTION_DAYS -exec rm -rf {} \;
# 7. Create backup manifestcat > $BACKUP_DIR/$DATE/manifest.txt << EOFBackup Date: $DATEHostname: $(hostname)Backup Contents:- keystore.tar.gz- nodekey- jwtsecret- config.tar.gz
Node Version: $(geth version 2>/dev/null || echo "unknown")EOF
echo "=== Backup Complete ==="echo "Backup location: $BACKUP_DIR/$DATE"Cosmos Backup
Section titled “Cosmos Backup”# Backup validator keyscp -r ~/.gaia/config/priv_validator_key.json /backup/gaia/validator_key.json
# Backup node keycp -r ~/.gaia/config/node_key.json /backup/gaia/node_key.json
# Backup gentxcp -r ~/.gaia/config/gentx /backup/gaia/gentx/
# Backup Cosmos SDK app state (optional)cp -r ~/.gaia/data /backup/gaia/data/
# Create compressed backuptar -czf gaia_backup_$(date +%Y%m%d).tar.gz -C /backup gaia/42.3 Database Backup
Section titled “42.3 Database Backup”Incremental Backup
Section titled “Incremental Backup”#!/bin/bash# For large databases, use rsync for incremental backupSOURCE="/data/ethereum/geth"DEST="/backup/ethereum/database"
# Create destinationmkdir -p $DEST
# Use rsync for incremental backuprsync -avh --progress \ --exclude='*.log' \ --exclude='*.tmp' \ $SOURCE/chaindata $DEST/
# Create snapshot backuptar -czf /backup/ethereum/chaindata_$(date +%Y%m%d).tar.gz \ -C /data/ethereum/geth chaindata/Snapshot Backup (for small databases)
Section titled “Snapshot Backup (for small databases)”# For pruned nodes (~100GB), full snapshot is practicaltar -czf /backup/ethereum/full_snapshot_$(date +%Y%m%d).tar.gz \ -C /data/ethereum geth/42.4 Secure Offsite Backup
Section titled “42.4 Secure Offsite Backup”Encrypted Remote Backup
Section titled “Encrypted Remote Backup”#!/bin/bash# Configure AWS S3S3_BUCKET="ethereum-backups"DATE=$(date +%Y%m%d)
# Create encrypted archivetar -czf - /data/ethereum/keystore | \ openssl enc -aes-256-cbc -salt -pbkdf2 | \ aws s3 cp - s3://$S3_BUCKET/keystore_$DATE.tar.enc
# Verify uploadaws s3 ls s3://$S3_BUCKET/Using Rclone
Section titled “Using Rclone”# Install rclonecurl https://rclone.org/install.sh | sudo bash
# Configure rclonerclone config
# Create encrypted backuprclone copy /data/ethereum/keystore remote:backups/keystore \ --encrypt \ --exclude "*.log" \ -v
# Schedule with cron# 0 2 * * * /path/to/backup_script.sh42.5 Recovery
Section titled “42.5 Recovery”Restoring from Backup
Section titled “Restoring from Backup”#!/bin/bashBACKUP_FILE=$1
if [ -z "$BACKUP_FILE" ]; then echo "Usage: $0 <backup_file>" exit 1fi
echo "=== Starting Recovery ==="
# Stop nodeecho "Stopping node..."sudo systemctl stop geth
# Verify backup integrityecho "Verifying backup..."if file $BACKUP_FILE | grep -q "gzip"; then echo "Valid gzip archive"else echo "ERROR: Invalid backup file" exit 1fi
# Extract to temporary locationecho "Extracting backup..."mkdir -p /tmp/restoretar -xzf $BACKUP_FILE -C /tmp/restore
# Restore keystoreecho "Restoring keystore..."sudo cp /tmp/restore/keystore/* /data/ethereum/keystore/sudo chown -R ethereum:ethereum /data/ethereum/keystore
# Restore node key (if present)if [ -f "/tmp/restore/nodekey" ]; then echo "Restoring node key..." sudo cp /tmp/restore/nodekey /data/ethereum/geth/nodekeyfi
# Restore configif [ -f "/tmp/restore/config.toml" ]; then echo "Restoring configuration..." sudo cp /tmp/restore/config.toml /data/ethereum/geth/config.tomlfi
# Clean uprm -rf /tmp/restore
# Start nodeecho "Starting node..."sudo systemctl start geth
# Verifysleep 30echo "Verifying node status..."geth attach http://localhost:8545 > /dev/null 2>&1if [ $? -eq 0 ]; then echo "✓ Node restored successfully"else echo "⚠ Warning: Node may need attention"fi
echo "=== Recovery Complete ==="Full System Recovery
Section titled “Full System Recovery”# Recovery from complete failure
# 1. Install fresh OS# 2. Install node softwaresudo apt-get updatesudo apt-get install -y geth
# 3. Restore from backup./restore.sh /backup/ethereum/keystore_20240101.tar.gz
# 4. Start nodesudo systemctl start geth
# 5. Verifyjournalctl -fu gethgeth attach http://localhost:8545> eth.blockNumber42.6 Validator Recovery
Section titled “42.6 Validator Recovery”Ethereum Validator Recovery
Section titled “Ethereum Validator Recovery”┌─────────────────────────────────────────────────────────────┐│ VALIDATOR RECOVERY PROCEDURE │├─────────────────────────────────────────────────────────────┤│ ││ Scenario: Validator hardware failure ││ ││ 1. New server ready ││ 2. Install execution client (Geth) ││ 3. Install consensus client (Lighthouse) ││ 4. Restore from backup: ││ - Keystore password ││ - Validator keys (deposit_data.json) ││ - BLS keys ││ - JWT secret ││ 5. Start both clients ││ 6. Verify validator is active ││ 7. Monitor attestation duties ││ │└─────────────────────────────────────────────────────────────┘Emergency Mnemonic Recovery
Section titled “Emergency Mnemonic Recovery”# If all validator keys lost, recover from mnemonic
# Generate keys from mnemoniceth2valtools mnemonic-entropy \ --mnemonic="your 24 word mnemonic" \ --validator-keys-dir=/validator/keys \ --deposit-data-dir=/validator/deposit
# This will regenerate your validator keys42.7 Backup Verification
Section titled “42.7 Backup Verification”Test Restore
Section titled “Test Restore”#!/bin/bashBACKUP_DIR="/backup/ethereum"
echo "=== Backup Verification ==="
# Check backup files existecho "Checking backup files..."ls -la $BACKUP_DIR/*/keystore.tar.gz
# Verify archive integrityecho "Verifying archive integrity..."for backup in $(ls -d $BACKUP_DIR/*/ | tail -3); do echo "Testing: $backup" if tar -tzf $backup/keystore.tar.gz > /dev/null 2>&1; then echo " ✓ $backup is valid" else echo " ✗ $backup is corrupted!" fidone
# Test extraction (to temp)echo "Testing extraction..."mkdir -p /tmp/verifytar -xzf $BACKUP_DIR/$(ls -t $BACKUP_DIR | head -1)/keystore.tar.gz -C /tmp/verifyls /tmp/verify/keystore/rm -rf /tmp/verify
echo "=== Verification Complete ==="42.8 Disaster Recovery Plan
Section titled “42.8 Disaster Recovery Plan”Comprehensive DR Plan
Section titled “Comprehensive DR Plan”---recovery_time_objective: 4 hoursrecovery_point_objective: 24 hours
critical_systems: - name: Validator backup_frequency: hourly recovery_steps: - Restore from latest keystore backup - Reinstall validator software - Configure and start - Verify validator status
- name: RPC Node backup_frequency: daily recovery_steps: - Provision new server - Install node software - Restore config - Sync from snapshot
data_retention: keystore: permanent config: 90 days database: 14 days logs: 30 daysRunbook Template
Section titled “Runbook Template”# Disaster Recovery Runbook
## Scenario: Complete Server Failure
### Detection- Monitoring alert: Node unreachable- Manual report from team
### Immediate Actions (0-30 min)1. Acknowledge alert2. Verify server is down3. Check backup availability
### Recovery (30 min - 2 hours)1. Provision replacement server2. Install OS and dependencies3. Restore from backup4. Start services5. Verify functionality
### Post-Recovery (2-4 hours)1. Monitor node health2. Verify sync status3. Confirm RPC service4. Update stakeholders5. Document incidentSummary
Section titled “Summary”- Backup priorities: Keys > Config > Database
- Automate backups: Use cron for regular backups
- Encrypt backups: Use GPG or cloud encryption
- Offsite storage: Keep copies in different locations
- Test restore: Regularly verify backup integrity
- Document procedures: Have clear recovery runbooks
- Validator-specific: Extra precautions for validator keys
- DR planning: Plan for complete site failure
Next Chapter
Section titled “Next Chapter”In Chapter 43: Chain Reorganizations, we’ll explore handling chain reorganizations.
Last Updated: 2026-02-22