Forum Discussion

a_la_carte's avatar
Level 5
9 years ago

NetBackup KMS in NetBackup Clustered Environment

Hello Folks,

Looking out for answers to few queries here so that we can proceed with this encryption solution in our NetBackup environment.


My NBU environment is as below: 
NBU in cluster: Both Nodes Windows 2008 R2 Enterprise x-64-bit 
NBU version :, upgrading to 7.7 in next 1 month 
Media Servers: 2, Solaris 11, LDOMs 
Tape Library: Oracle SL150 - 10 LTO-6 tape drives, SSO enabled 


Customer is looking forward to put encryption on the tapes. 
We are suggesting them to use KMS encryption, instead of client encryption at policy level or MSEO @ media server level. 

1) Since both MSEO and Client-level encryption requires processing and hence put additional overload on media servers and clients respectively, hence we are planning for KMS, which doesn't involve any additional processing and hence no overloading of clients or media-servers. Are we correct in our thinking here ? Please clarify.


2) As KMS doesn't require any additional license, so it would be quickly enabled at NBU end without additional cost. Is this correct ? 


3) The tape drives are LTO-6 of latest generation, hence they support KMS-NBU encryption at tape/tape-drive level. Is this correct ? 


4) Since our NBU environment is clustered with Active & Passive master-server nodes, how would you think that initial KMS configuration (like creating key DB, HMK, KPK, key-group, active key record etc. ) would be handled? Do we need to do this initial configuration on both the nodes separately and alike? How would NBU-encryption behave when entire NBU master Server gets failed over from one master-server node to another during fail-over ?


5) What are the drawbacks of configuring KMS in NBU Clustered Environment and what challenges are associated with the same ? 


6) How KMS is going to affect the overall backup completion timing for a particular backup, given that Client-based and media server based encryption both are CPU-intensive operations, and KMS is just pool based ? Will KMS-encryption really affect the backup-completion timing ?


We would like answers to above questions point-wise and will post more as they strike our mind. 

Thanks for your time and kind assistance.



  • Hi,


    1. Correct
    2. Check with your local Veritas SE / Account manager regarding licensing.
    3. Check with your hardware vendor. Most drives can perform encryption but I believe you'll need a license to unlock the feature.
    4. Follow the instructions in the NetBack security and encryption guide. Section "About installing KMS with HA clustering"
    5. Nothing, its going to be clustered along with your Master Server services
    6. It will not affect it. Encryprion is performed at HW layer.

12 Replies