How to install and configure Key Management Service (KMS) encryption on a NetBackup master server
| Article:TECH67972 | | | Created: 2009-01-17 | | | Updated: 2010-01-10 | | | Article URL http://www.symantec.com/docs/TECH67972 |
Problem
How to install and configure Key Management Service (KMS) encryption on a NetBackup master server
Solution
To Install
KMS, take the following actions on the NetBackup master server:
1. Run
the following command:
Windows: ..\netbackup\bin\nbkms
-createemptydb
UNIX: /usr/openv/netbackup/bin/nbkms
-createemptydb
2. Enter
a passphrase for the Host Master Key (HMK), or press Enter to create a randomly
generated key.
3. Enter
an ID for the HMK. This ID can be anything descriptive that you want to use to
identify the HMK.
4. Enter
a passphrase for the Key Protection Key (KPK).
5. Enter
an ID for the KPK. The ID can be anything descriptive that you want to use to
identify the KPK.
6. Start
the service by running the following command:
Windows: ..\netbackup\bin\nbkms
UNIX: /usr/openv/netbackup/bin/nbkms
7. Verify
that the service has started.
Windows: Check
the Services applet > NetBackup Key Management Service
UNIX: ps
-ef | grep nbkms
8. Create
the key group. The key group name must be an identical match to the volume pool
name. All key group names must have a prefix ENCR_.
Windows: ..\netbackup\bin\admincmd\nbkmsutil
-createkg -kgname ENCR_volumepoolname
UNIX: /usr/openv/netbackup/bin/admincmd/nbkmsutil
-createkg -kgname ENCR_volumepoolname
9. Create
a key record by using the -createkey option.
Windows: ..\netbackup\bin\admincmd\nbkmsutil
-createkey -kgname ENCR_volumepoolname -keyname keyname -activate
-desc "description"
UNIX: /usr/openv/netbackup/bin/admincmd/nbkmsutil
-createkey -kgname ENCR_volumepoolname -keyname keyname -activate
-desc "description"
The -desc
switch and message are optional; they can help you identify this key when you
display the key.
The
-activate option skips the pre-live state and creates this key as active, and is
also optional.
10) Provide
the passphrase again when the script prompts you.
In the
following example, the key group is called ENCR_pool1 and the key name is
Q1_2008_key. The description explains that this key is for the months January,
February, and March.
..\netbackup\bin\admincmd\nbkmsutil
-createkey -kgname ENCR_pool1 -keyname Q1_2008_key -activate -desc "key for Jan,
Feb, &Mar"
11) You can
create another key record using the same command; a different key name and
description helps you distinguish the key records:
..\netbackup\bin\admincmd\nbkmsutil
-createkey -kgname ENCR_pool1 -keyname Q2_2008_key -activate -desc "key for Apr,
May, &Jun"
NOTE: If you
create more than one key record by using the command nbkmsutil -kgname
volumepoolname -activate, only the last key remains active.
12) To list
all of the keys that belong to a key group name, use the following
command:
Windows: ..\netbackup\bin\admincmd\nbkmsutil
-listkeys -kgname keyname
UNIX: /usr/openv/netbackup/bin/admincmd/nbkmsutil
-listkeys -kgname keyname
NOTE:
Symantec strongly recommends that you keep a record of the output of the
nbkmsutil -listkeys command. The key tag that is listed in the output is
necessary if you need to recover keys.
13) To run
an encrypted tape backup, you must have a policy that is configured to draw from
a volume pool with the same name as your key group.
14) When
NetBackup runs a tape-encrypted backup, and you view the Images on Media report,
you see the encryption key tag that is registered with the record. This key tag
is your indication that what was written to tape was encrypted. The encryption
key tag uniquely identifies which key was used to encrypt the data.
For more
detailed information regarding KMS encryption and configuration, please see the
following documents:
|
|
Related Articles
Legacy ID
319641
Article URL http://www.symantec.com/docs/TECH67972
Terms of use for this information are found in Legal Notices
Thank you.