Configure KMS encryption on a windows NetBackup server

This article provides the necessary actions needed to install and configure Key Management Service (KMS) encryption on a windows NetBackup master server.


To install KMS, run the following steps on the NetBackup master server

  1. Run the following command:
    ..\netbackup\bin\nbkms -createemptydb
  2. Enter a passphrase for the Hast Master Key (HMK) or press Enter to create a randomly generated key
  3. Enter an ID for the HMK (this ID can be anything descriptive that you want to use to identify the HMK)
  4. Enter a passphrase for the Key Protection Key (KPK).
  5. Enter an ID for the KPK (this ID can be anything descriptive rhar you want to use to identify the KPK)
  6. Start the KMS service
    1. Start, Run, services.msc
    2. Start the NetBackup Key Management Service
  7. Create the key group. All key group names must have the prefix ENCR_
    ..\netbackup\bin\admincmd\nbkmsutil -createkg -kgname ENCR_keygroup_name
  8. Create a key record by using the -createkey option.
    ..\netbackup\bin\admincmd\nbkmsutil -createkey -kgname ENCR_volumepoolname -keyname keyname -activate -desc "description"

    NOTE: The -desc switch and message are optional; they can help you identify this key when you display the key. The -activate option skips the pre-live state and creates this key as active, and is also optional.

  9. Provide the passphrase again when the script prompts you. In the following example, the key group is called ENCR_pool1 and the key name is Q1_2008_key. The description explains that this key is for the months January, February, and March.
    ..\netbackup\bin\admincmd\nbkmsutil -createkey -kgname ENCR_pool1 -keyname Q1_2008_key -activate -desc "key for Jan, Feb, & Mar"
  10. You can create another key record using the same command; a different key name and description helps you distinguish the key records:
    ..\netbackup\bin\admincmd\nbkmsutil -createkey -kgname ENCR_pool1 -keyname Q2_2008_key -activate -desc "key for Apr, May, & Jun"

    NOTE:If you create more than one key record by using the command nbkmsutil -kgname volumepoolname -activate, only the last key remains active.

  11. To list all of the keys that belong to a key group name, use the following command:
    ..\netbackup\bin\admincmd\nbkmsutil -listkeys -kgname keyname

    NOTE: Symantec strongly recommends that you keep a record of the output of the nbkmsutil -listkeys command. The key tag that is listed in the output is necessary if you need to recover keys.

  12. To run an encrypted tape backup, you must have a policy that is configured to draw from a volume pool with the same name as your key group. For example, if the key group name is "ENCR_backup", the volume pool name in NetBackup must also be "ENCR_backup".
  13. When NetBackup runs a tape-encrypted backup, and you view the Images on Media report, you see the encryption key tag that is registered with the record. This key tag is your indication that what was written to tape was encrypted. The encryption key tag uniquely identifies which key was used to encrypt the data.