Backup & restore
Tyr has two things to back up:
- PostgreSQL database — policies, agents, events, users, assignments.
- Server data directory (
$TYR_DATA_DIR, default/var/lib/tyr) — CA key, JWT key.
Lose the DB → rebuild, re-enroll agents. Lose the CA key → every agent must re-enroll.
PostgreSQL
Daily dump
pg_dump -Fc -d tyr -f /backups/tyr-$(date +%F).dumpCompressed custom format (-Fc) restores fastest.
Restore
dropdb tyr && createdb tyrpg_restore -d tyr /backups/tyr-2026-04-20.dumpAfter restore:
- Server will start and accept logins with existing credentials.
- Agents whose certs are still valid will continue to connect.
- Policies are intact at the version numbers in the backup.
Retention strategy
The events table dominates size. Options:
- Prune before backup:
DELETE FROM events WHERE ts < now() - interval '7 days'; - Partition by day (roadmap): dump only current + last week’s partition.
- Separate cold store: stream old events to S3 via a nightly script, then delete.
Server data directory
sudo tar czf /backups/tyr-data-$(date +%F).tar.gz -C / var/lib/tyrContains:
/var/lib/tyr/├── ca.key # CA private key — CRITICAL├── ca.crt # CA public cert├── jwt.key # JWT signing key└── server.{key,crt} # server TLS cert (if not using --no-tls)Restore
sudo systemctl stop tyr-serversudo tar xzf /backups/tyr-data-2026-04-20.tar.gz -C /sudo systemctl start tyr-serverAgent identity
Each agent’s /var/lib/tyr/ on the host has:
identity.json— agent_id assigned by serverclient.key/client.crt— its mTLS credentials
These are disposable — if lost, the agent re-enrolls with a fresh token and gets a new identity. The historical events remain under the old agent_id in the database.
No need to back these up unless you want zero-downtime reinstalls.
Disaster recovery drill
Test quarterly:
- Spin up a new Postgres.
pg_restorethe latest dump.- Spin up a new
tyr-serverwith the restored/var/lib/tyr/. - Confirm an existing agent’s heartbeat arrives and events flow.
- Confirm you can log in with an existing admin account.
- Confirm
tyr policy listshows the expected versions.
Full-fresh-start recovery
If both DB and data dir are lost:
- Stand up a fresh
tyr-server— it generates a new CA, new JWT key. - Run the setup wizard at
/setupto create a new admin. - Create a new enrollment token.
- Every agent needs to be re-enrolled (their old certs are signed by a CA the new server doesn’t know).
Painful but survivable. This is why off-host backups of ca.key are worth the hassle.
→ Next: Troubleshooting · Upgrading