8.2.1) Introduction
-------------------
There are three methods of encryption for NetBackup:
1) Client side
(but uses CPU, very bad for de-dupe, difficult to manage)
(if key is lost, can be regenerated from passphrase)
2) KMS
(no additional CPU usage)
o NetBackup KMS using passphrases
(if keys are lost, can be regenerated from passphrases)
o NetBackup KMS using system generated keys
(if keys are lost, data is lost)
o External KMS (either HP or IBM) (only matches certain drives)
(if keys are lost, data is lost)
3) NetBackup MSEO
(but uses LOTS of CPU) (is this now a deprecated feature?)
(if keys are lost, data is lost)
8.2.2) NetBackup KMS Warning
----------------------------
The steps below are per NetBackup domain, i.e. this is not per media server, not per library, and independent of drive hardware vendor.
KMS for HP LTO drives is different to KMS for IBM LTO drives. NetBackup KMS works with both drive manufacturers.
You will need to think of three strong pass phrases, which the encryption algorithms will convert into keys.
N.B. If you loose the keys, then access to data is lost...
...N.B. the keys are NOT saved as part of the catalog backup...
...but they can be re-created from the original pass phrases...
If you forget the pass-phrases then you will never be able to regenerate the keys.
Catalog backups to tape (when using NetBackup KMS) are normally always unencrypted (because there are usually written
to a volume pool named "Catalog_Backup", so catalog backup media can be stored with the encrypted backup media, because
the catalog backups only contain system and backup meta-data, and not actual business data.
A quick note about recording the key-names AND pass-phrases.
N.B. the key-name and the key itself are integral. i.e. to restore encrypted data then whilst it is obvious that the key (and thus the pass-phrase need to be known), it is not so obvious that the key-name must also exactly match (note: match exactly, so spelling, casing, and any hyphens-underscores must match exactly).
Consider this... LTO media are rated (in perfect storage conditions) to last for 20 years. Ask yourself, will your record of key-names and pass-phrases still exist in 20 years time? I recommended not printing them using ink-jet or laser printers, nor writing them down using a standard/cheap pen or biro - because all of these materials just won't last that long - the ink will fade, or in the case of laser printed text, after a few years the carbon mix will simply fall off the paper that it is printed on. You need to think about the ink that lawyers, solicitors and registrars use - i.e. a high quality permanent ink that lasts for a lifetime (75 years plus).
Also consider this... Your record of key-names and pass-phrases may need to last for 20 years after the last backup is saved. For example, you may install a NetBackup environment that lasts 10 to 15 years. So, your record of key-names and pass-phrases may need to last for at least 30 to 35 years - perhaps even longer. Obviously don't save the key-names and pass-phrases on digital media, as they simply won't last either. Scary huh!?
8.2.3) Before Configuring
-------------------------
Tape media encryption is based around volume pools. Volume pool names are sometimes loosely associated with retention, e.g. you may have a weekly backup media pool with a retention of one month, and maybe a monthly backup volume pool with a retention of one year or longer. If you want to encrypt backups being written to a volume pool, then an encryption key group with a key-group-name exactly matching the volume pool name must be configured. However, to get NetBackup to write encrypted tape media, then the volume pool name must being the five characters "ENCR_". Thus, all encryption key-group-names must also begin with the same five characters of "ENCR_".
If, for example, you are currently saving all monthly full backups to an un-encrypted media pool named "Monthly_7Years", then to encrypt these monthly full backups then you will need to do three things:
1) create an encryption key-group named: ENCR_Monthly_7Years
2) create a new volume pool named: ENCR_Monthly_7Years
3) change backup/SLP policies to use the new volume pool.
8.2.4) Configuring NetBackup KMS on Appliance Master or Master/Media
--------------------------------------------------------------------
FYI - NetBackup KMS is not supported on any appliance master, or appliance master/media, before v2.6.0.1.
Q) How would this be possible on v7.6.0.2, with no CLIsh root access ?
support / maintenance / elevate
# ...create the key database...
nbkms -info
nbkms -createemptydb
passphrase my-hmk-id
passphrase my-kpk-id
nbkms -info
nbkmsutil -gethmkid
nbkmsutil -getkpkid
ls -lash /usr/openv/kms/db
ls -lash /usr/openv/kms/key
# ...has the NetBackup KMS daemon started...
ps -ef | grep -i nbkms
# ...if not then start it with...
Use NetBackup Java Admin Console, connect to master, the browse to Activity Monitor, and Daemons tab...
...and start the 'nbkms' daemon.
# ...create the key group - N.B. the keygroup name MUST begin with the five character string of 'ENCR_'
nbkmsutil -listkgs
nbkmsutil -createkg -kgname ENCR_data
nbkmsutil -listkgs
# ...create the key:
nbkmsutil -listkeys -kgname ENCR_data
nbkmsutil -createkey -keyname my-key -kgname ENCR_data
...will prompt for a pass phrase...
nbkmsutil -listkeys -kgname ENCR_data
nbkmsutil -modifykey -keyname my-key -kgname ENCR_data -activate
nbkmsutil -listkeys -kgname ENCR_data
nbkmsutil –ksstats
# ...create a volume pool with a name exactly matching the key group name:
vmpool -list_all -bx
vmpool -create -pn ENCR_data -description "KMS encryption"
vmpool -list_all -bx
# ...in use...
# Configure backup/SLP policy to use the new Volume group (i.e. it must begin with ENCR_).
# Do not enable "encryption" on policy - as this is for client side encryption.
# Run a test backup.
# Confirm encryption, using images on media report.
# below are the minimum steps to backup the NetBackup KMS key database:
# ...ideally amend this to copy off-host and off-site...
# ...when NetBackup KMS passphrases based keys are used...
# ...then this only needs to be run when keys are added, changed, amended...
# ...and does not need to be run after each backup session.
nbkmsutil -ksstats
nbkmsutil -quiescedb
nbkmsutil -ksstats
cp /usr/openv/kms/db/KMS_DATA.dat /tmp
cp /usr/openv/kms/key/KMS_HMKF.dat /tmp
cp /usr/openv/kms/key/KMS_KPKF.dat /tmp
nbkmsutil -ksstats
nbkmsutil -unquiescedb
nbkmsutil -ksstats
exit / exit / return
8.2.5) Configuring NetBackup KMS on Windows
-------------------------------------------
(...whilst this step isn't relevant to an appliance, they are only included here purely for reference...)
# ...create the key database...
nbkms -info
nbkms -createemptydb
passphrase my-hmk-id
passphrase my-kpk-id
nbkms -info
nbkmsutil -gethmkid
nbkmsutil -getkpkid
dir "D:\Program Files\Veritas\kms\db\"
dir "D:\Program Files\Veritas\kms\key\"
# ...ensure service starts with NetBackup...
services.msc
# ...and change "NetBackup Key Management Service" to automatic and start it, then check it is running with...
net start | find /i "NetBackup"
# ...create the key group - N.B. the keygroup name MUST begin with the five character string of 'ENCR_'
nbkmsutil -listkgs
nbkmsutil -createkg -kgname ENCR_data
nbkmsutil -listkgs
# ...create the key:
nbkmsutil -listkeys -kgname ENCR_data
nbkmsutil -createkey -keyname my-key -kgname ENCR_data
...will prompt for a pass phrase...
nbkmsutil -listkeys -kgname ENCR_data
nbkmsutil -modifykey -keyname my-key -kgname ENCR_data -activate
nbkmsutil -listkeys -kgname ENCR_data
nbkmsutil –ksstats
# ...create a volume pool with a name exactly matching the key group name:
vmpool -list_all -bx
vmpool -create -pn ENCR_data -description "KMS encryption"
vmpool -list_all -bx
# ...in use...
# Configure backup/SLP policy to use the new Volume group (i.e. it must begin with ENCR_).
# Do not enable "encryption" on policy - as this is for client side encryption.
# Run a test backup.
# Confirm encryption, using images on media report.
# below is a simple script to backup the NetBackup KMS key database:
# ...ideally amend this to copy off-host and off-site...
# ...when NetBackup KMS passphrases based keys are used...
# ...then this only needs to be run when keys are added, changed, amended...
# ...and does not need to be run after each backup session.
@echo on
setlocal enabledelayedexpansion
nbkmsutil -quiescedb
copy "C:\Program Files\Veritas\kms\db\KMS_DATA.dat" "D:\NBU-KMS-BACKUP\KMS_DATA.dat"
copy "C:\Program Files\Veritas\kms\key\KMS_HMKF.dat" "D:\NBU-KMS-BACKUP\KMS_HMKF.dat"
copy "C:\Program Files\Veritas\kms\key\KMS_KPKF.dat" "D:\NBU-KMS-BACKUP\KMS_KPKF.dat"
nbkmsutil -unquiescedb
pause
exit /b
# to restore...
copy "D:\NBU-KMS-RESTORE\KMS_DATA.dat" "C:\Program Files\Veritas\kms\db\KMS_DATA.dat"
copy "D:\NBU-KMS-RESTORE\KMS_HMKF.dat" "C:\Program Files\Veritas\kms\key\KMS_HMKF.dat"
copy "D:\NBU-KMS-RESTORE\KMS_KPKF.dat" "C:\Program Files\Veritas\kms\key\KMS_KPKF.dat"