.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.TH nethsm-system-restore 1  "nethsm-system-restore " 
.SH NAME
nethsm\-system\-restore \- Restore the device from a backup
.SH SYNOPSIS
\fBnethsm system restore\fR [\fB\-b\fR|\fB\-\-backup\-passphrase\-file\fR] [\fB\-s\fR|\fB\-\-system\-time\fR] [\fB\-a\fR|\fB\-\-auth\-passphrase\-file\fR] [\fB\-c\fR|\fB\-\-config\fR] [\fB\-l\fR|\fB\-\-label\fR] [\fB\-u\fR|\fB\-\-user\fR] [\fB\-h\fR|\fB\-\-help\fR] <\fIINPUT\fR> 
.SH DESCRIPTION
Restore the device from a backup
.PP
The device may be in state "Operational" or "Unprovisioned".
In both cases, the users and keys from the backup replace those on the device (if any).
.PP
If the device is in state "Unprovisioned", any credentials provided for authentication are ignored, the system configuration
(e.g. TLS certificate, unlock passphrase, etc.) from the backup is used as well, the device is rebooted and ends up in
"Locked" state.
.PP
If no new system time is provided, it is derived from the caller\*(Aqs system time.
If no backup passphrase is provided specifically, it is prompted for interactively.
.PP
Requires authentication of a system\-wide user in the "Administrator" role only if the device is in "Operational" state.
.SH OPTIONS
.TP
\fB\-b\fR, \fB\-\-backup\-passphrase\-file\fR=\fIBACKUP_PASSPHRASE_FILE\fR
The path to a file containing the backup passphrase
.RS
May also be specified with the \fBNETHSM_BACKUP_PASSPHRASE_FILE\fR environment variable. 
.RE
.TP
\fB\-s\fR, \fB\-\-system\-time\fR=\fISYSTEM_TIME\fR
The new system time for the device

Must be provided as an ISO 8601 formatted UTC timestamp.
.RS
May also be specified with the \fBNETHSM_SYSTEM_TIME\fR environment variable. 
.RE
.TP
\fB\-a\fR, \fB\-\-auth\-passphrase\-file\fR=\fIAUTH_PASSPHRASE_FILE\fR
The path to a file containing a passphrase for authentication

The passphrase provided in the file must be the one for the user chosen for the command.

This option can be provided multiple times, which is needed for commands that require multiple roles at once.
With multiple passphrase files ordering matters, as the files are assigned to the respective user provided by the "\-\-user" option.
.RS
May also be specified with the \fBNETHSM_AUTH_PASSPHRASE_FILE\fR environment variable. 
.RE
.TP
\fB\-c\fR, \fB\-\-config\fR=\fICONFIG\fR
The path to a custom configuration file

If specified, the custom configuration file is used instead of the default configuration file location.
.RS
May also be specified with the \fBNETHSM_CONFIG\fR environment variable. 
.RE
.TP
\fB\-l\fR, \fB\-\-label\fR=\fILABEL\fR
A label uniquely identifying a device in the configuration file

Must be provided if more than one device is setup in the configuration file.
.RS
May also be specified with the \fBNETHSM_LABEL\fR environment variable. 
.RE
.TP
\fB\-u\fR, \fB\-\-user\fR=\fIUSER\fR
A user name which is used for a command

Can be provided, if no user name is setup in the configuration file for a device.
Must be provided, if several user names of the same target role are setup in the configuration file for a device.

This option can be provided multiple times, which is needed for commands that require multiple roles at once.

.RS
May also be specified with the \fBNETHSM_USER\fR environment variable. 
.RE
.TP
\fB\-h\fR, \fB\-\-help\fR
Print help (see a summary with \*(Aq\-h\*(Aq)
.TP
<\fIINPUT\fR>
The path to a valid NetHSM backup file
.RS
May also be specified with the \fBNETHSM_BACKUP_FILE\fR environment variable. 
.RE