Configure KMS encryption on a UNIX Netbackup server
To install KMS, run the following stepson the Netbackup master server
- Run the following command:
- Enter a passphrase for the Hast Master Key (HMK) or press Enter to create a randomly generated key
- Enter an ID for the HMK (this ID can be anything descriptive that you want to use to identify the HMK)
- Enter a passphrase for the Key Protection Key (KPK).
- Enter an ID for the KPK (this ID can be anything descriptive rhar you want to use to identify the KPK)
- Run the following command to start the KMS service:
- Create the key group. All key group names must have the prefix ENCR_
/usr/openv/netbackup/bin/admincmd/nbkmsutil -createkg -kgname ENCR_keygroup_name
- Create a key record by using the -createkey option.
/usr/openv/netbackup/bin/admincmd/nbkmsutil -createkey -kgname ENCR_volumepoolname -keyname keyname -activate -desc "description"
- Provide the passphrase again when the script prompts you.
In the following example, the key group is called ENCR_pool1 and the key name is Q1_2008_key. The description explains that this key is for the months January, February, and March.
/usr/openv/netbackup/bin/admincmd/nbkmsutil -createkey -kgname ENCR_pool1 -keyname Q1_2008_key -activate -desc "key for Jan, Feb, & Mar"
- You can create another key record using the same command; a different key name and description helps you distinguish the key records:
/usr/openv/netbackup/bin/admincmd/nbkmsutil -createkey -kgname ENCR_pool1 -keyname Q2_2008_key -activate -desc "key for Apr, May, & Jun"
- To list all of the keys that belong to a key group name, use the following command:
/usr/openv/netbackup/bin/admincmd/nbkmsutil -listkeys -kgname keyname
- To run an encrypted tape backup, you must have a policy that is configured to draw from a volume pool with the same name as your key group.
For example, if the key group name is "ENCR_backup", the volume pool name in Netbackup must also be "ENCR_backup".
- When Netbackup runs a tape-encrypted backup, and you view the Images on Media report, you see the encryption key tag that is registered with the record. This key tag is your indication that what was written to tape was encrypted. The encryption key tag uniquely identifies which key was used to encrypt the data.