External key storage uses the local filesystem (specifically, a filesystem that the host libraries can see). Depending on the API used, the use of an encrypted, external keystore may be transparent (managed by the SecurityServer libraries) or be managed (managed by your API-written code).
In both cases, making a backup of this keystore is as simple as using the operating system's "copy" command (Windows 'copy', Linux 'cp', or via the OS GUI file management front-end for cut+paste or drag+drop where supported/available).