Data Ownership and Backup Policy ​

At Cloud-IAM, we firmly believe that your data belongs to you, and you should have the ability to retrieve and store it within your own infrastructure.

To ensure data reliability and resilience in the event of a major outage, we regularly create full backups of the PostgreSQL database associated with your deployment. These backups can be restored independently, outside of the Cloud-IAM environment.

Each backup includes the complete Keycloak configuration, events, sessions, users, clients, and credentials.

For security purposes, all backups are encrypted using our internal GPG keys. They are securely stored across multiple, geographically diverse cloud providers.

Backups are retained for 30 days on our side. However, you may wish to download and store a copy within your own environment, either as an additional layer of redundancy or for use in a staging environment for development and testing purposes.

To enable secure transfer of backups to your infrastructure, we require that they be encrypted with a GPG key you control. We do not transmit unencrypted data under any circumstances.

To facilitate this, you must upload your public GPG key via the Cloud-IAM Console, in the settings section of the organization that owns the deployment.

GPG (GNU Privacy Guard) is used for asymmetric encryption. Cloud-IAM will use your public key to encrypt the backup files, which can only be decrypted using the corresponding private key in your possession.

This approach ensures that only you, holding the private key, can access the unencrypted backup data.

How to create a GPG key ​

To enable encrypted backup delivery, you must generate a GPG key pair and upload the public key to the Cloud-IAM Console.

Use the following command to initiate key generation:

$ gpg --full-generate-key

$ gpg --full-generate-key

You will be prompted to make several selections:

• Key Type: choose RSA and RSA (default option).
• Key Size: we recommend a minimum of 3072 bits.
• Key Expiration: it is considered best practice to set an expiration date to support key rotation (be sure to renew or replace the key before it expires to avoid service interruption).
• User ID Information: provide a name and email to identify your key.

Once complete, GPG will generate your key pair and store it locally. A sample output might look like this:

pub   rsa3072 2025-06-26 [SC] [expires: 2025-07-02]
7D42BCE0C837A8D0F369C8A39E19788B707738D7
uid                      for-ops (none) <my-email@acme.inc>
sub   rsa3072 2025-06-26 [E] [expires: 2025-07-02]

pub   rsa3072 2025-06-26 [SC] [expires: 2025-07-02]
7D42BCE0C837A8D0F369C8A39E19788B707738D7
uid                      for-ops (none) <my-email@acme.inc>
sub   rsa3072 2025-06-26 [E] [expires: 2025-07-02]

To allow Cloud-IAM to encrypt your backups, you must export and upload your public key in ASCII-armored format. Use the following command:

$ gpg --output my-email@acme.inc.public.pgp.txt --armor --export my-email@acme.inc

$ gpg --output my-email@acme.inc.public.pgp.txt --armor --export my-email@acme.inc

To get the contents:

$ cat my-email@acme.inc.public.pgp.txt

$ cat my-email@acme.inc.public.pgp.txt

You should see an output similar to:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGhdRmwBDACux9dtim6sC1rBaLNSmOIYm5eGVnoAEhQVLwqNEQfUGrHa8d1g
...
=HTjH
-----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGhdRmwBDACux9dtim6sC1rBaLNSmOIYm5eGVnoAEhQVLwqNEQfUGrHa8d1g
...
=HTjH
-----END PGP PUBLIC KEY BLOCK-----

Upload this file to the Cloud-IAM Console under your organization settings to enable encrypted backups.

How to associate the key ​

Once you've generated and exported your GPG public key, you need to upload it to your organization's security settings in the Cloud-IAM Console. Steps:

• Navigate to the Cloud-IAM Console: https://console.cloud-iam.com/settings?category=security
• Go to Settings > Security.
• In the GPG Keys section, click Add GPG Key.
• Paste the full ASCII-armored public key block you previously exported.

Once added, all future backups will be encrypted using both Cloud-IAM's internal GPG keys and all valid public keys associated with your organization.

This ensures that you retain the ability to securely decrypt and restore backups within your own infrastructure.

Download the backups ​

Backups can be downloaded directly from the Pilot section of the Cloud-IAM Console .

Backup List Overview ​

In the Pilot > Backups tab, each backup entry displays the following information:

• File name: The name of the backup file
• File size: The total size of the file
• Creation date: The date and time when the backup was generated
• GPG Key ID(s): The identifier(s) of the GPG key(s) used to encrypt the backup

Downloading a Backup ​

Each entry includes a Download button.

Click the Download button to download the corresponding encrypted backup file to your local machine.

Restoring a Backup ​

After downloading the backup to your infrastructure, we strongly recommend storing it securely and keeping it encrypted until restoration is required.

Step 1: decrypt the backup file ​

To decrypt the file using your private GPG key, run:

$ gpg --output "$BACKUP_FILE" --decrypt "${BACKUP_FILE}.gpg"

$ gpg --output "$BACKUP_FILE" --decrypt "${BACKUP_FILE}.gpg"

This command will generate a decrypted version of the backup file.

Step 2: restore to PostgreSQL ​

Once decrypted, you can restore the backup into a fresh PostgreSQL database using the following command:

$ pg_restore -v --host=${DB_ADDR} --port=${DB_PORT} --user=${DB_USER} -Fc -c -d ${DB_DATABASE} ${BACKUP_FILE}

$ pg_restore -v --host=${DB_ADDR} --port=${DB_PORT} --user=${DB_USER} -Fc -c -d ${DB_DATABASE} ${BACKUP_FILE}

Backups scheduling ​

By default, backups are scheduled daily. However, this schedule can be modified. To do this, go to the "Pilot > Backup" section of the Cloud-IAM console. Select the backup launch time (as well as your UTC zone) and the daily backup frequency:

• every 3 hours for 8 backups per day
• every 6 hours for 4 backups per day
• every 12 hours for 2 backups per day
• every 24 hours for one backup per day