How do I confirm KMS files are not included in Catalog Backup
Can someone tell me a definitive way to confirm the KMS files are not on my catalog tape?
This page seems to try to comfort us in the fact that the KMS directory is not included in the catalog backup.
"If the KPK, HMK, and key file were included in a catalog backup, and the catalog backup itself is encrypted, you have done the equivalent of locking the keys in the car. To protect from this problem is why KMS has been established as a separate service for NetBackup and why the KMS files are in a separate directory from the NetBackup directories."
But I'm not so comforted, given that the kms files are in /opt/openv/kms. This doesn't look too separate from the Netbackup directories. Our previous catalog backup used to have this file list: "/opt/openv/".
Maybe the Hot Catalog backup excludes /opt/openv/kms. But since there's no "backup selections" pane in the properties of that policy, I can't confirm this.
And, not having that confirmed, I might just be sending my keys out along with my encrypted backups, totally defeating the purpose.
I've looked in the /opt/openv/netbackup/db/images/<master server>/1351000000/hot-catalog-backup_****_FULL.f files, and there doesn't seem to be a proper, readable file list. However, the string "opt openv" appears in all of them.
Can someone tell me a definitive way to confirm the KMS files are not on my catalog tape, without finding a way to restore my catalog (without overwriting the current one)?