Recovery Quick Reference

Print this page and store with your LUKS USB backup.

Emergency Recovery Order

Step What Command

1

Mount LUKS USB

sudo cryptsetup luksOpen /dev/sdX1 backup-usb && sudo mount /dev/mapper/backup-usb /mnt/backup

2

Restore age key

cp /mnt/backup/keys/master.age.key ~/.secrets/.metadata/keys/ && chmod 600 ~/.secrets/.metadata/keys/master.age.key

3

Restore SSH keys

cp /mnt/backup/ssh/id_* ~/.ssh/ && chmod 700 ~/.ssh && chmod 600 ~/.ssh/id_*

4

Clone secrets repo

git clone git@github.com:EvanusModestus/domus-secrets.git ~/.secrets

5

Load credentials

dsource d000 dev/network

6

Verify

netapi ise mnt sessions

Critical Infrastructure IPs

System IP Purpose

NAS-01

10.50.1.70

Backup storage, Borg repos

Vault-01

10.50.1.60

PKI, SSH CA, secrets

pfSense

10.50.1.1

Firewall, DNS forwarder

home-dc01

10.50.1.50

AD DS, LDAP auth

ISE-02

10.50.1.21

802.1X, RADIUS

KVM-01

10.50.1.110

Hypervisor

Backup Commands

Daily Infrastructure Backup

dsource d000 dev/network
netapi ise backup --upload-nas
netapi wlc backup --upload-nas
netapi pfsense backup --upload-nas
netapi ios backup --all --upload-nas
netapi kvm backup --all --upload-nas

Borg Workstation Backup

sudo mount -t nfs nas-01:/volume1/borg_backups /mnt/synology
dsource d000 dev/storage
sudo -E BORG_PASSPHRASE="$BORG_PASSPHRASE" ~/.local/bin/borg-backup-synology.sh
dsunsource
sudo umount /mnt/synology

Seagate USB Backup

seagate-primary-mount /dev/sda1
seagate-primary-backup
seagate-primary-umount

Recovery Commands

From Borg

# List archives
sudo BORG_PASSPHRASE="$BORG_PASSPHRASE" borg list /mnt/synology/borg-repo

# Mount and browse
sudo BORG_PASSPHRASE="$BORG_PASSPHRASE" borg mount /mnt/synology/borg-repo::ARCHIVE /tmp/borg-mount

# Extract single file
sudo BORG_PASSPHRASE="$BORG_PASSPHRASE" borg extract /mnt/synology/borg-repo::ARCHIVE home/evanusmodestus/path/to/file

From M-Disc

sudo mount /dev/sr0 /mnt/cdrom
cd /mnt/cdrom && sha256sum -c SHA256SUMS.txt
age -d -i ~/.secrets/.metadata/keys/master.age.key P0-CRITICAL-*.tar.age | tar -xvf -

LUKS Header Restore

age -d -i ~/.secrets/.metadata/keys/master.age.key header.img.age > /tmp/header.img
sudo cryptsetup luksHeaderRestore /dev/sdX1 --header-backup-file /tmp/header.img
shred -vzn 3 /tmp/header.img

Credential Locations

Credential Location

age master key

~/.secrets/.metadata/keys/master.age.key

SSH keys

~/.ssh/id_*

GPG keys

~/.gnupg/

gopass store

~/.local/share/gopass/stores/v3/

dsec vaults

~/.secrets/vaults/d000/

LUKS passphrases

gopass show v3/domains/d000/storage/seagate/primary

Borg passphrase

dsource d000 dev/storage$BORG_PASSPHRASE

Verification Commands

# Verify age key works
age -d -i ~/.secrets/.metadata/keys/master.age.key ~/.secrets/test.age

# Verify SSH access
ssh nas-01 hostname

# Verify dsec works
dsec show d000 dev/network

# Verify Borg repo
sudo BORG_PASSPHRASE="$BORG_PASSPHRASE" borg check /mnt/synology/borg-repo

If All Else Fails

  1. Retrieve M-Disc from fireproof safe

  2. Boot from Arch Linux live USB

  3. Mount M-Disc: sudo mount /dev/sr0 /mnt/cdrom

  4. Extract P0-CRITICAL first (contains age key)

  5. Follow recovery order above

Related