Forum Discussion

Didi7's avatar
Didi7
Level 4
2 years ago

Import KMS-files to a new NetBackup Master Server with already imported old catalog (NetBackup 8.2)

Hello, I need to restore virtual machines located on tape media that was encrypted with KMS. We have the following files available ...

db\KMS_DATA.dat

key\KMS_HMKF.dat

key\KMS_KPKF.dat

Is it true, that those files just need to be copied to the right place (the question is where is this place on a NetBackup server running on a Windows Server system?) and the 'NetBackup Key Management Service' needs to be started or are there other things to be considered?

Thanks in advance for any reply.

 

  • Hi Didi7 

    Guidance can be found in Veritas NetBackup™ Security and Encryption Guide

    About recovering KMS by restoring all data files

    If you have made backup copies of the KMS_DATA.dat, KMS_HMKF.dat, and KMS_KPKF.dat files, it is just a matter of restoring these three files. Then startup the nbkms service and the KMS system will be up and running again.

    https://www.veritas.com/content/support/en_US/doc/21733320-127424841-0/v21635120-127424841

    On Windows the location is : 

    \Program Files\Veritas\kms\db\KMS_DATA.dat
    \Program Files\Veritas\kms\key\KMS_HMKF.dat
    \Program Files\Veritas\kms\key\KMS_KPKF.dat

  • Hi Didi7 

    Guidance can be found in Veritas NetBackup™ Security and Encryption Guide

    About recovering KMS by restoring all data files

    If you have made backup copies of the KMS_DATA.dat, KMS_HMKF.dat, and KMS_KPKF.dat files, it is just a matter of restoring these three files. Then startup the nbkms service and the KMS system will be up and running again.

    https://www.veritas.com/content/support/en_US/doc/21733320-127424841-0/v21635120-127424841

    On Windows the location is : 

    \Program Files\Veritas\kms\db\KMS_DATA.dat
    \Program Files\Veritas\kms\key\KMS_HMKF.dat
    \Program Files\Veritas\kms\key\KMS_KPKF.dat

  • Hi Nicolai,

    it really was as simple as that. Restores from encrpyted media is possible now. I read about it in another thread but nothing was mentioned about the path for the KMS files within a Windows Server environment.

    Thank you for your prompt answer.

     

    • Nicolai's avatar
      Nicolai
      Moderator

      Hi Didi7 

      Glad I could help.

      Word of advice. Pls make sure you protect (backup) the KMS files or the pass phrases KMS keys were generated by on a medium NOT encrypted by KMS. Else you truly have a catch 22

      • Didi7's avatar
        Didi7
        Level 4

        Hello Nicolai,

        KMS files, passphrases and the likes are safely protected on different systems and several times on tape media and even on USB sticks in a professional safe.

        I assume KMS files don't change, as long as you do not change any passphrases?

        The above mentioned server is just for restore purposes.

        In the meantime I could successfully restore 3 VMs from 3 different encrypted tapes.

        Regards