Backup & restore

Tyr has two things to back up:

1. PostgreSQL database — policies, agents, events, users, assignments.
2. Server data directory ($TYR_DATA_DIR, default /var/lib/tyr) — CA key, JWT key.

Lose the DB → rebuild, re-enroll agents. Lose the CA key → every agent must re-enroll.

PostgreSQL

Daily dump

pg_dump -Fc -d tyr -f /backups/tyr-$(date +%F).dump

Compressed custom format (-Fc) restores fastest.

Restore

dropdb tyr && createdb tyr
pg_restore -d tyr /backups/tyr-2026-04-20.dump

After restore:

• Server will start and accept logins with existing credentials.
• Agents whose certs are still valid will continue to connect.
• Policies are intact at the version numbers in the backup.

Retention strategy

The events table dominates size. Options:

• Prune before backup: DELETE FROM events WHERE ts < now() - interval '7 days';
• Partition by day (roadmap): dump only current + last week’s partition.
• Separate cold store: stream old events to S3 via a nightly script, then delete.

Server data directory

sudo tar czf /backups/tyr-data-$(date +%F).tar.gz -C / var/lib/tyr

Contains:

/var/lib/tyr/
├── ca.key              # CA private key — CRITICAL
├── ca.crt              # CA public cert
├── jwt.key             # JWT signing key
└── server.{key,crt}    # server TLS cert (if not using --no-tls)

Danger

Protect ca.key carefully. Anyone with this file can sign client certificates for any agent name. Store encrypted, with restricted access.

Restore

sudo systemctl stop tyr-server
sudo tar xzf /backups/tyr-data-2026-04-20.tar.gz -C /
sudo systemctl start tyr-server

Agent identity

Each agent’s /var/lib/tyr/ on the host has:

• identity.json — agent_id assigned by server
• client.key / client.crt — its mTLS credentials

These are disposable — if lost, the agent re-enrolls with a fresh token and gets a new identity. The historical events remain under the old agent_id in the database.

No need to back these up unless you want zero-downtime reinstalls.

Disaster recovery drill

Test quarterly:

1. Spin up a new Postgres.
2. pg_restore the latest dump.
3. Spin up a new tyr-server with the restored /var/lib/tyr/.
4. Confirm an existing agent’s heartbeat arrives and events flow.
5. Confirm you can log in with an existing admin account.
6. Confirm tyr policy list shows the expected versions.

Full-fresh-start recovery

If both DB and data dir are lost:

1. Stand up a fresh tyr-server — it generates a new CA, new JWT key.
2. Run the setup wizard at /setup to create a new admin.
3. Create a new enrollment token.
4. Every agent needs to be re-enrolled (their old certs are signed by a CA the new server doesn’t know).

Painful but survivable. This is why off-host backups of ca.key are worth the hassle.

→ Next: Troubleshooting · Upgrading