Backup Generation and Restore with Digital Signature
Introduction
In any security environment, backups are just as important as live data. But a backup is only useful if it can be trusted. If there’s any doubt about its integrity, it becomes a risk instead of a safeguard.
To solve this, IBM QRadar 7.5.0 Update Package 15 introduces Backup Generation and Restore with Digital Signature. This feature adds built-in cryptographic validation to the entire backup and restore process.
Now, every backup is automatically signed when it is created and verified before it is restored. This ensures that only genuine and unchanged backups are used in your environment.
What has Changed
Earlier, QRadar backups did not include any built-in verification. There was no automatic way to check if a backup file had been modified, corrupted, or tampered with after creation.
With this update:
- Every backup is digitally signed during creation
- The signature is verified before restoration
- If verification fails, the restore process is blocked
This prevents compromised or corrupted backups from being restored into a live system.
Note: This feature is available starting from QRadar 7.5.0 Update Package 15 (UP15).
How It Works — Signing Process
When a backup starts, QRadar prepares and validates certificates before creating the backup archive.
It uses a two-level certificate hierarchy:
- CA Certificate – Acts as the root of trust
- Signer Certificate – Signs the backup file
At backup time, the system automatically checks certificate status:
- If certificates don’t exist → they are created automatically
- If valid → existing certificates are reused
- If expired → new certificates are generated
Once validated, the backup is signed, and a signature file is created alongside it — all done automatically.
Certificate Lifecycle and Configuration
Certificate validity can be configured based on your security policies:
- CA Certificate: 2 years (default)
- Signer Certificate: 1 year (default)
These values can be modified in:
/opt/qradar/bin/backupsign_sample.properties
Key properties:
CA_cert_rotation_periodSigner_cert_rotation_period
Important:
- Do not set values lower than the defaults
- The Signer certificate must always have a shorter validity than the CA certificate
Encrypted Passphrase Handling
QRadar also manages the encrypted passphrase used for signing:
- First-time setup → passphrase is auto-generated
- If unchanged → reused
- If modified manually → certificates become invalid
Important:
Passphrases and certificates are tightly linked. If changed manually, all existing certificates become unusable. In such cases, removing them allows QRadar to regenerate a new trust chain automatically.
Backup Verification During Restore
Before restoring a backup, QRadar verifies its digital signature.
Requirements:
- Backup file and signature file must be in the same directory
- Trusted certificate must exist in:
/store/backup/ssl/certs/truststore
Same System Restore
- Select backup
- Enable Verify option
- Proceed with restore
Different System Restore
- Transfer backup + signature file
- Transfer trusted certificate
- Place certificate in truststore
If truststore doesn’t exist:
bash /opt/qradar/bin/backupsign_cert_import.sh
openssl rehash /store/backup/ssl/certs/truststore
- Enable verification and restore
Note: Verification can be skipped, but only in rare recovery scenarios.
Impact on Data Synchronization App
For environments using the Data Synchronization App, this feature works automatically.
- Certificates and signatures sync between systems
- No manual configuration required
- Certificate rotation is also synchronized
The system checks:
/opt/qradar/conf/backup-recovery-config.xml
Property: backup-verification-enabled
true → verification enabledfalse → verification skipped
This ensures both systems follow the same trust validation rules.
Example Use Case
Imagine a disaster recovery setup with primary and secondary QRadar systems.
Earlier:
A backup transferred to the secondary system could be restored without checking its integrity.
Now:
- QRadar verifies the backup signature before restore
- If valid → restore continues
- If tampered → restore is blocked
This prevents compromised data from entering the system.
Best Practices
- Store certificates and passphrases securely
- Monitor certificate rotation regularly
- Avoid disabling verification unless necessary
- Maintain truststore properly during cross-system restores
- Ensure synchronization between systems is working correctly
Key Benefits
- Authenticity – Every backup is verified at its source
- Integrity – Detects tampering or corruption
- Automation – No manual certificate management needed
- Scalability – Works across all QRadar deployments
- Compliance – Helps meet security and regulatory requirements
- Reliable DR – Ensures safe restores during disaster recovery
Conclusion
Backup Generation and Restore with Digital Signature is a major improvement in QRadar UP15. It strengthens one of the most critical operations — backup and recovery.
By adding automatic signing, certificate management, and verification, QRadar ensures that every backup is trustworthy before it is restored.
Whether you're restoring locally, across systems, or during a failover, you can now be confident that your backup is secure, verified, and safe to use.
Special thanks to Deepankar Panda (deepand4@in.ibm.com) and Prateek Jain (prateek.j@in.ibm.com) for reviewing this blog...