Backup Strategy

At Cloud-IAM, we provide a comprehensive Keycloak backup strategy designed to protect your deployment data against accidental loss, misconfiguration, and major outages. Our approach uses complementary backup methods:

Export: Fast, lightweight exports stored within your deployment environment, enabling quick rollback and immediate recovery.
Snapshots: Stored within your deployment environment, enabling quick rollback and immediate recovery.
Cold backups: Full, encrypted database dumps securely stored in geographically redundant locations within the European Union, ensuring long-term data durability and disaster recovery readiness.

By combining these methods, Cloud-IAM helps you maintain business continuity, minimize downtime, and comply with industry best practices for data protection and disaster recovery.

This documentation provides a comprehensive overview of how Cloud-IAM ensures the integrity and availability of your Keycloak data through robust backup processes, continuous validation, and customizable scheduling.

Export

Export feature consist of partial backups stored in .json format within the deployment environment.

Exports are a core part of the Cloud-IAM managed Keycloak service, designed to ensure resilience in case of Keycloak incidents.

For step-by-step guidance on using the export features on Cloud-IAM console, refer to the dedicated documentation page.

What does the export contain?

A Keycloak export includes all the critical data and configurations from your deployment. This ensures you can fully restore or migrate your environment if needed.

The export typically contains:

Realms — All configured realms in your deployment
Clients — Applications and services connected to Keycloak
Roles — Both realm-level and client-specific roles
Users — User accounts, credentials, and their assigned roles
Groups — Group structures and memberships
Identity Providers — External IdPs linked to your Keycloak setup
Authentication Flows — Custom login, registration, and MFA logic
Custom Configuration — Settings like SMTP, themes, or custom attributes
User Federation Configs — LDAP or other external user store connections

Exported files are in JSON format.

Export security policy

To protect your data, export are stored on encrypted-at-rest storage within your Keycloak cluster.

Export frequency and scheduling

By default, daily export are automatically taken for your Keycloak deployment. Customers with a dedicated deployment can also initiate an export at any time directly through the console or via the API.

Export retention and accessibility

Exports are retained for 7 days to provide short-term recovery options. This retention period allows customers to perform rollback of specific operations directly on their Keycloak deployment.

Export validation and integrity

An internal monitoring system validates each export operation for completeness. Failures trigger immediate alerts and automatic retry attempts, if retries fail, our technical team intervenes to resolve the issue manually.

Cloud-IAM performs automated restore tests with each new Keycloak version to verify export usability, consistency, and data integrity.

Backups

Also known as cold backups, these consist of full database dumps in PostgreSQL stored separately from the deployment environment.

Backups are an integral part of the Cloud-IAM managed Keycloak offering, ensuring resilience in the event of cloud provider incidents. They are used in the disaster recovery process to recreate deployments in the same region, a different region, or even a different cloud provider when necessary.

They are encrypted and stored in highly durable, highly available storage located within the European Union. Cold backups are primarily used for disaster recovery and migration purposes.

For step-by-step guidance on using the backup/cold backup features on Cloud-IAM console, refer to the dedicated documentation page.

What does backups contain

Each backup includes the complete set of :

Keycloak configurations (realms, roles, groups, identity providers, authentication flows, etc.)
Events
Sessions
Users
Clients
Credentials

Backup security policy

To ensure the security of your data, each backup is encrypted using our internal GPG keys and stored in highly durable, encrypted-at-rest storage. The storage service used by Cloud-IAM is guaranteed 99.999999999% durability by the cloud provider.

To download and use your backups within your own infrastructure, Cloud-IAM allows you to add your own GPG key for encryption. Under no circumstances will Cloud-IAM transmit unencrypted customer backups.

Backup frequency and scheduling

By default, backups of your Keycloak deployment are scheduled to run daily. Depending on your support level, you can customize the backup frequency and timing to better fit your operational needs.

Available frequency options:

Every 3 hours → 8 backups per day
Every 6 hours → 4 backups per day
Every 12 hours → 2 backups per day
Every 24 hours → 1 backup per day

Backup retention and accessibility

Backups are retained for 1 month (30 days) by default to ensure availability over a longer timeframe.
This allows customers to request rollback operations through the Cloud-IAM technical team.

At Cloud-IAM, we firmly believe your data belongs to you. You have the ability to retrieve and store your backups within your own infrastructure. For every paid and dedicated deployment, you can download your backups encrypted with your GPG key to your infrastructure, with your own retention limit.

Backup validation and integrity

An internal alert system monitors and validates each backup operation to ensure completeness. Any failure triggers immediate alerts and automatic retry attempts. If retries fail, our technical team manually handles the backup.

Cloud-IAM performs weekly automated restore tests to validate backup usability in line with ISO 27001 requirements. These tests simulate disaster recovery operations to verify backup consistency and data integrity.

Snapshot

A snapshot is an exact copy of the database taken at a specific moment in time within your Keycloak cluster. In the Cloud-IAM managed Keycloak service, snapshots act as a third layer of security, adding extra resilience in case of incidents.

What does the Snapshot contain?

The snapshot database used by the Keycloak deployment includes all the critical data and configurations from your deployment. This ensures you can fully restore or migrate your environment if needed.

The snapshot typically contains:

Realms — All configured realms in your deployment
Clients — Applications and services connected to Keycloak
Roles — Both realm-level and client-specific roles
Users — User accounts, credentials, and their assigned roles
Groups — Group structures and memberships
Identity Providers — External IdPs linked to your Keycloak setup
Authentication Flows — Custom login, registration, and MFA logic
Custom Configuration — Settings like SMTP, themes, or custom attributes
User Federation Configs — LDAP or other external user store connections

Snapshot security policy

To protect your data, snapshot are stored on encrypted-at-rest storage within your Keycloak cluster.

Snapshot frequency

By default, daily snapshot are automatically taken for your Keycloak deployment.

Snapshot retention

Snapshot are retained for 7 days to provide short-term recovery options.

Backup Strategy ​

Export ​

What does the export contain? ​

Export security policy ​

Export frequency and scheduling ​

Export retention and accessibility ​

Export validation and integrity ​

Backups ​

What does backups contain ​

Backup security policy ​

Backup frequency and scheduling ​

Backup retention and accessibility ​

Backup validation and integrity ​

Snapshot ​

What does the Snapshot contain? ​

Snapshot security policy ​

Snapshot frequency ​

Snapshot retention ​