Skip to content

Backup, Restore & Archives

Strix provides two data protection features:

  • PostgreSQL backup/restore: full system backup of configuration, users, alerts, and metadata via strix-setup.
  • ClickHouse archive/restore: per-fractal log data archives via the web UI.

Both are encrypted with AES-256-GCM using the STRIX_BACKUP_ENCRYPTION_KEY generated during setup.

Encryption Key

The encryption key is generated automatically by strix-setup during installation and stored in your .env file as STRIX_BACKUP_ENCRYPTION_KEY.

Do not lose this key. Without it, backups and archives cannot be decrypted. If you migrate or rebuild your Strix instance, copy the key from your .env file.

Storage

Backups and archives are stored to disk by default. S3-compatible storage (AWS S3, MinIO, DigitalOcean Spaces) is also supported.

Disk Storage

  • Backups (strix-setup): stored in {install_dir}/backups/
  • Archives (web UI): stored in the strix-archives Docker volume mounted at /archives

S3 Storage

Configure these environment variables in your .env file to use S3:

Variable Description
STRIX_S3_ENDPOINT S3 endpoint URL (e.g., https://s3.amazonaws.com or MinIO URL)
STRIX_S3_BUCKET Bucket name
STRIX_S3_ACCESS_KEY Access key ID
STRIX_S3_SECRET_KEY Secret access key
STRIX_S3_REGION AWS region (e.g., us-east-1)

When S3 is configured, both backups and archives will use S3 storage. If S3 is not configured, disk storage is used.

PostgreSQL Backup/Restore

System-level backups are managed through the strix-setup CLI. These back up the entire PostgreSQL database including users, fractal configurations, alerts, saved searches, notebooks, and all metadata.

Creating a Backup

strix-setup --backup --dir /opt/strix

This creates an encrypted backup file in {dir}/backups/ with the naming pattern strix-backup-{timestamp}.strix-backup.

For automated backups (e.g., cron), use non-interactive mode:

strix-setup --backup --dir /opt/strix --non-interactive

Listing Backups

strix-setup --list-backups --dir /opt/strix

Restoring a Backup

strix-setup --restore --dir /opt/strix --restore-file /opt/strix/backups/strix-backup-20250101-120000.strix-backup

The restore will: 1) decrypt and decompress the backup, 2) show the backup version and timestamp, 3) prompt for confirmation (unless --non-interactive), and 4) replace the current PostgreSQL database with the backup data.

Note: The Strix containers must be running for backup and restore operations.

Cron Example

0 2 * * * /usr/local/bin/strix-setup --backup --dir /opt/strix --non-interactive >> /var/log/strix-backup.log 2>&1

ClickHouse Archives

Per-fractal log archives are managed through the web UI by fractal administrators.

Creating an Archive

  1. Navigate to your fractal's Manage tab
  2. Scroll to the Archives section
  3. Click Create Archive

The archive process runs in the background. The status will show as "Archiving" with a spinner while in progress, and "Completed" when done.

Archives include all log data for the fractal. If the fractal has a retention policy configured, only logs within the retention window are archived.

Automatic Archive Scheduling

Fractals can be configured to create archives automatically on a schedule.

  1. Navigate to your fractal's Manage tab
  2. In the Archive Schedule section, select a frequency:
  3. Never (default): no automatic archives
  4. Daily: one archive per day
  5. Weekly: one archive per week
  6. Monthly: one archive per month
  7. Optionally set Maximum Archives to limit how many archives are kept. When the limit is exceeded, the oldest archives are automatically deleted.

Scheduled archives use the fractal's retention window (if configured) to scope the archived data. If no retention period is set, the archive includes all logs.

A background scheduler checks every 5 minutes whether any fractals are due for a new archive. Scheduled archives appear in the archive list with a Scheduled badge; manual archives show Manual. The max archives limit applies to both types.

When both a retention period and archive schedule are configured on the same fractal, Strix coordinates them automatically: retention enforcement adds a 1-day buffer and skips fractals with an active archive operation, ensuring logs are archived before they are deleted.

Archive Format

Each archive contains: - Log entries in compressed NDJSON format - Each entry preserves: timestamp, raw log, log ID, parsed fields, ingest timestamp - Compressed with zstd, encrypted with AES-256-GCM

Restoring an Archive

  1. Navigate to the Manage tab for the fractal that owns the archive
  2. Find the archive in the Archives section
  3. Click Restore
  4. Choose the target fractal from the dropdown (defaults to the current fractal)
  5. Optionally uncheck Clear existing logs to append instead of replace
  6. Confirm the restore operation

Archives can be restored into any fractal you have admin access to. This is useful for DFIR workflows where you archive production data and later restore it into a dedicated investigation fractal.

The restore runs in the background and progress can be monitored via the status indicator.

Warning: If the target fractal is actively receiving logs during a restore, newly ingested logs will be mixed with restored data. Consider pausing ingestion during restores.

Deleting an Archive

Click Delete next to any archive to remove it. This deletes both the database record and the stored archive file. This action cannot be undone.

Limitations

  • Only one archive or restore operation can run per fractal at a time (scheduled archives wait for active operations)
  • Archives capture a single fractal's data; there is no multi-fractal archive
  • PostgreSQL backups include the full database; selective table restore is not supported