From 507f27a9e0503ee39da6c5e51ab4e088c0e2f0f4 Mon Sep 17 00:00:00 2001
From: Kyle Manna <kyle@kylemanna.com>
Date: Mon, 30 Jun 2014 09:19:36 -0700
Subject: [PATCH] docs: Add backup documentation

* Brain dump on ways to backup the docker volume container for peace of
  mind.
---
 docs/backup.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 docs/backup.md

diff --git a/docs/backup.md b/docs/backup.md
new file mode 100644
index 0000000..1903e0e
--- /dev/null
+++ b/docs/backup.md
@@ -0,0 +1,14 @@
+# Backing Up Configuration and Certificates
+
+## Security
+
+The resulting archive from this back-up contains all credential to impersonate the server at a minimum.  If the client private keys are generated using the EasyRSA utility then it also contains the client certificates that could be used to impersonate said clients.  Most importantly, if the certificate authority key is in this archive (as it is given the quick start directions), then a adversary could generate certificates at will.
+
+I'd recommend encrypting the archive with something strong (e.g. gpg or openssl + AES).  For the paranoid keep backup offline.  For the truly paranoid users, never keep any keys (i.e. client and certificate authority) in the docker container to begin with :).
+
+
+TL;DR Protect the resulting archive file, by ensure there is very limited access to it.
+
+## Simple
+
+    docker run  --volumes-from openvpn-data --rm kylemanna/openvpn tar czf - -C /etc openvpn > openvpn-backup.tar.gz