ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Create for disaster recovery or migration


Article ID: 161246


Updated On:


Data Loss Prevention Enforce


You need to back up the Protect directory on the Symantec Data Loss Prevention (DLP) Enforce server, for disaster recovery or migration purposes.


DLP 15.7.x - 15.8.x


For this process the will need to be created using one of the following methods:

Method 1 - Using the ReinstallationResourcesUtility.exe (Windows) or ReinstallationResourcesUtility (Linux)

This method is covered in the DLP Install guide under the "Creating the Enforce Reinstallation Resources file" section. See the Install guide for further details. Here is a summary:

Step 1

Switch to the DLP bin folder:

Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\bin 
Linux: /opt/Symantec/DataLossPrevention/EnforceServer/<version>/Protect/bin

Step 2

Generate an Enforce Reinstallation Resources file by running the following command:

C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\bin> ReinstallationResourcesUtility.exe export "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.7\Protect" "C:\"

[[email protected] bin]# ./ReinstallationResourcesUtility export /opt/Symantec/DataLossPrevention/EnforceServer/15.7/Protect/ /tmp/

Method 2 - Manually create the


Note: These steps assume that the DLP Enforce server is installed using default settings (C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect), and that the user is operating in a command line window with a working directory outside of that path.

  1. Create a EnforceReinstallationResources folder in your Desktop or any other location you prefer
  2. Create the config directory and copy over the file, preserving permissions:
    • mkdir config​​
    • robocopy /SEC "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\config" .config
    • robocopy /SEC "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\config" .config EncryptedPropertiesFilesEncryptionKey.key
  3. Create the keystore directory
    • ​​​mkdir keystore
    • robocopy /SEC "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\keystore" .keystore
  4. Create the file:
    • zip -r config keystore

Note: The zip command is present on single-tier and two-tier deployments under the oracle bin directory. In a three-tier setup, send the copied files to a compressed folder using Windows Explorer.

To manually create in Linux (15.5 and above)

create the config directory while preserving permissions

  • mkdir -p /tmp/config 
  • cp -p /opt/Symantec/DataLossPrevention/EnforceServer/<version>/Protect/config/ /tmp/config/
  • cp -p /opt/Symantec/DataLossPrevention/EnforceServer/<version>/Protect/config/EncryptedPropertiesFilesEncryptionKey.key /tmp/config/

Create the keystore directory

  • mkdir -p /tmp/keystore
  •  cp -r -p /opt/Symantec/DataLossPrevention/EnforceServer/<version>/Protect/keystore/* /tmp/keystore/

Create the zip archive

  • cd /tmp
  •  zip -r config keystore

To verify the zip archive (Windows or Linux):

  •  unzip -l


Point to this new when reinstalling Symantec Data Loss Prevention from your backup version.
If you reinstall using Silent Mode, you include the following parameters (in addition to other required parameters):



If you choose to run the EnforceServer.msi file to complete the installation, on the Initialize Database panel select Preserve Database Data and specify the file.


Additional information

For detailed information about DLP backups and recovery, see the Data Loss Prevention System Maintenance Guide - 15.7 / 15.8.