Backup Considerations

Backup software

The type of backup software that your enterprise uses determines the way that you will back up the Password Vault. The Enterprise Password Vault provides a secure way to back up your Vault without compromising the sensitive information within.

The Enterprise Password Vault backup solution can be implemented in two scenarios:

Replication – The Vault Backup Utility exports the Vault data from the Password Vault to a computer on the local network. The enterprise global backup system can then access the files from that computer. The entire backup procedure takes place within the Vault environment, thus maintaining the highest possible level of security, and there is no need for any external application to cross the firewall. The contents of the Vault replica are encrypted, ensuring that they remain highly secure at all times. This method is recommended.
Third Party Backup System – The Password Vault integrates with several backup applications, and can configure the firewall to permit these applications access to the Vault backup folders. This introduces external applications to the Vault and potentially reduces the level of security that the information stored in the Vault benefits from.

Server location

If the Server is located in the DMZ, it is recommended that you back it up from within the enterprise network.

Required access rights

Backing up and restoring Safes can be carried out using Vault services. This means that the Vault has full control over backup and restore actions, which need to be issued by a CyberArk user who has specific backup rights.

Backup permissions

Backup rights enable a User to run the EPV Backup utilities. When using these utilities, the User will be required to supply a username and password. The Vault will then verify the User’s identity and check that the User has the authorization to backup the selected Safe. If the User does not have the required authority, the backup operation fails.

If the User carrying out the backup procedure only has access to some of the Safes in the selected group, only those Safes will be backed up. Safes that the User does not have access to will not be backed up.


It is recommended to use the specific “Backup” user for the backup operation and not grant each User authorization to perform this procedure

Backup user

The Backup user is a predefined user that is added automatically as an Owner to every Safe, and only has the access rights required to backup the Safes. This user makes it easier to organize your backup procedure.

After installation, the Backup User account is disabled. Before using the Backup User, enable it and update its password.

Any user that will initiate a backup process must have the ‘Backup All Safes’ user authorization on the Safes to be backed up. The predefined ‘Backup’ user has this privilege, and is also assigned to the ‘Backup Users’ predefined group automatically. When additional users are added to this group, they must each be given the ‘Backup All Safes’ authorization separately.

Restore permissions

To restore a Safe, a User must have the ‘Restore All Safes’ authorization in the Vault. This means that a User is able to restore all the Safes, but it does not grant him automatic access to the Safes after they are restored. Only users who have Safe membership will be able to access restored Safes.

The ‘Restore All Safes’ authorization enables a User to issue the EPV Restore utility and restore any Safe in the Vault. The predefined Operator user has this permission and can also restore any Safe in the Vault. When using this utility, the user must supply the user name and password. The Vault will then verify the user identity and check the user's authorizations to administer this specific Safe. If the user does not have the required rights, the operation will not be carried out.

The user who will restore a full Vault is not required to authenticate to the Vault. However, the full Vault can only be restored on the Vault machine.

For more information about restoring individual Safes as well as the whole Vault, refer to the Privileged Access Security Implementation Guide.