Netbackup KMS on new master
Adding to the excellent answers so far - I put together a short 'how to ' doc for some colleagues. Some of it is copy/ paste from the manuals, so really it is a summary with a simple example of how to set up.
The golden rule for encryption :
“Encryption is Easy, it’s the Key management that gets you everytime …”
In other word, lose you keys and you're stuffed ... I've seen 100% of backups in an environment unrecoverable due to lost keys - and no. Symantec doesn't have a 'back door' to get them back - for that reason with KMS, use the pass phase method of generating the keys, and keep the passphrase(s) safe (like in a safe) so the keys can be recreated. You can also back the keys up, don't do this to encrypted media for obvious reasons (yep, I've seen that too ...).
KMS
The nbkms service is a master-server-based service that provides encryption
keys to the media server BPTM processes. (KMS will also work with Advanced Disk and Cloud backups)
KMS works with encryption capable tape drives. KMS is integrated into NetBackup
in such a way so as to eliminate difficulties in using NetBackup from a system
management perspective. KMS provides encryption key management for tape
drives with built-in encryption capabilities. These tape drives adhere to the SCSI
standard. A SCSI command enables encryption on the tape drive. NetBackup
accesses this capability through the volume pool name.
BPTM receives a request to write to a tape and to use a tape from a volume pool
with the ENCR_ name prefix. The ENCR_ prefix is a signal to BPTM that the information
to be written to tape is to be encrypted.
BPTM contacts KMS and requests an encryption key from the key group with a
name that matches the name of the volume pool.
KMS hands back to BPTM an encryption key and a key identifier (known as the
encryption key tag).
BPTM places the drive in encryption mode and registers the key tag and identifier
tag with the drive. This process is all done with the SCSI security protocol in or out
command that has been added to the SCSI specification.
The backup then proceeds as normal.
When the backup is complete, BPTM unregisters the key and tag with the drive
and sets the drive back into regular mode.
BPTM then records the tag in the NetBackup image record catalog.
Setting up KMS
nbkms -createemptydb
Enter a Host Master Key passphrase (hmk_pass_phrase)
The host master key contains the encryption key that encrypts and
protects the KMS_DATA.dat key file using AES 256. The host
master key is located at /opt/openv/kms/key/KMS_HMKF.dat.
Enter an ID (HMK_key)
Enter a Key Protection Key passphrase (KPK_pass_phrase)
A key protection key is an encryption key that encrypts and protects
individual records in the KMS_DATA.dat key file using AES 256.
The key protection key is kms/key/KMS_KPKF.dat. Currently the
same key protection key is used to encrypt all of the records.
Enter a KPK ID (KPK_Key)
Operation successfully completed
Start the KMS service by running nbkms
Create the key group. The key group name must be an identical match to the
volume pool name. All key group names must have a prefix ENCR_.
nbkmsutil -createkg -kgname ENCR_kms_pool
The ENCR_ prefix is essential. When BPTM receives a volume pool request
that includes the ENCR_ prefix, it provides that volume pool name to KMS. KMS
identifies it as an exact match of the volume pool and then picks the active key
record for backups out of that group.
Create a key record by using the -createkey option.
nbkmsutil -createkey -kgname ENCR_kms_pool -keyname teck_talk_demo_key -activate -desc "Keys for KMS Techtalk"
The key name and message are optional; they can help you identify this key
when you display the key.
Enter a pass phrase (tech_talk_demo_key_pass_phrase)
List Keys in the KeyGroup
nbkmsutil -listkeys -kgname ENCR_kms_pool
Symantec recommends that you keep a record of the output of the
nbkmsutil -listkeys command. The key tag that is listed in the output is
necessary if you need to recover keys.
Recover KMS by restoring all Data files
If you have made backup copies of the KMS_DATA.dat, KMS_HMKF.dat, and
KMS_KPKF.dat files, it is just a matter of restoring these three files. Then start up
the nbkms service and the KMS system will be up and running again.
nbkmsutil –quiescedb - Required before coping KMS DB files
nbkmsutil -unquiescedb
Recovering KMS by restoring only the KMS data file
You can restore the backed up copy of the KMS data file kms/db/KMS_DATA.dat
by regenerating the KMS_HMKF.dat and KMS_KPKF.dat files with passphrases. So,
if you have written down passphrases for the host master key and key protection
key, you can run a command to regenerate those files. The system will prompt you
for the passphrase and if the passphrase you now enter matches the passphrase
originally entered, you will be able to reset the files.
To recover KMS by restoring only the KMS data file
1 Run the nbkms –resethmk command.
2 Run the nbkms –resetkpk command.
3 Start up the nbkms service.
Recovering KMS by regenerating the data encryption key
You can regenerate the complete KMS database by regenerating the data encryption
keys. The goal is to create a brand new empty KMS database and then repopulate
it with all your individual key records.
nbkms –createemptydb
(Start KMS)
nbkmsutil -createkg -kgname ENCR_kms_pool << Extra step not in manual
nbkmsutil -recoverkey -keyname tech_talk_demo_key -kgname ENCR_kms_pool -tag 68ff5c10ce662d8bfd60159fb0e2fc8def26f42588190615b43c3821bb55259c (kmsttphrase)
nbkmsutil -modifykey -kgname ENCR_kms_pool -keyname KMS_TT -state active
KMS Files
Key file or key database
Contains the data encryption keys. The key file is located at
/opt/openv/kms/db/KMS_DATA.dat.
Host master key
Contains the encryption key that encrypts and protects the KMS_DATA.dat
key file using AES 256. The host master key is located at
/opt/openv/kms/key/KMS_HMKF.dat
Key protection key
Encryption key that encrypts and protects individual records in the
KMS_DATA.dat key file using AES 256. The key protection key is located at
/opt/openv/kms/key/KMS_KPKF.dat. Currently the same key protection key
is used to encrypt all of the records.
Back up KMS files
If you want to back up the KMS files, the best practices should be followed.
Put the KMS database file on one tape and the HMK files and KPK files
on another tape. To gain access to encrypted tapes, someone would then
need to obtain both tapes.
Another alternative is to back up the KMS data files outside of the normal
NetBackup process. You can copy these files to a separate CD, DVD, or
USB drive.
DO NOT BACK THE FILES UP ON KMS ENCRYPTED TAPES
You can also rely on passphrase generated encryption keys to manually
rebuild KMS. All of the keys can be generated by passphrases. If you have
recorded all of the encryption key passphrases you can manually recreate
KMS from information you have written down. If you only have a few
encryption keys you generate this process could be short.
Key records:
Key records contain many fields but the primary records are the encryption key,
the encryption key tag, and the record state. Key records also contain some
metadata.
These key records are defined as follows:
Encryption key
This key is given to the tape drive.
Encryption key Tag
This tag is the identifier for the encryption key.
Record state
Each of the key records has a state. The states are prelive, active, inactive,
deprecated, and terminated.
Metadata
Metadata includes logical name, creation date, modification date, and
description.
Key groups
Key groups are a logical name and grouping of key records. All key records that
are created must belong to a group. A key group can only have one active state
key record at any time. NetBackup 7.5 supports 100 key groups. NetBackup 7.0
supported 20 key groups and NetBackup 6.5.2 supported two key groups. Only
10 encryption keys are allowed per key group.
Tape Drive Considerations:
To provide support for the T10 / SCSI standard tape drives with embedded
(LT04 and equivalent) encryption.
How is an encrypted tape written?
BPTM receives a request to write to a tape and to use a tape from a volume pool
with the ENCR_ name prefix. The ENCR_ prefix is a signal to BPTM that the information
to be written to tape is to be encrypted.
BPTM contacts KMS and requests an encryption key from the key group with a
name that matches the name of the volume pool.
KMS hands back to BPTM an encryption key and a key identifier (known as the
encryption key tag).
BPTM places the drive in encryption mode and registers the key tag and identifier
tag with the drive. This process is all done with the SCSI security protocol in or out
command that has been added to the SCSI specification.
The backup then proceeds as normal.
When the backup is complete, BPTM unregisters the key and tag with the drive
and sets the drive back into regular mode.
BPTM then records the tag in the NetBackup image record catalog.
Reading an encrypted tape
When a tape is read and an area of the tape in encountered where an image is
encrypted, BPTM determines: what tag is used and KMS loads that record and key
into BPTM. Then BPTM provides the key to the drive and reading the tape proceeds
as normal.
Commands:
Modify /Delete Key:
nbkmsutil -modifykey -keyname tech_talk_demo -kgname ENCR_kms_pool -state active
nbkmsutil -modifykey -keyname tech_talk_demo -kgname ENCR_kms_pool -state inactive
nbkmsutil -modifykey -keyname tech_talk_demo -kgname ENCR_kms_pool -state deprecated
nbkmsutil -modifykey -keyname tech_talk_demo -kgname ENCR_kms_pool -state terminated
nbkmsutil -deletekey -keyname tech_talk_demo -kgname ENCR_kms_pool
List Keys:
nbkmsutil -listkeys -kgname ENCR_kms_pool
nbkmsutil -gethmkid
nbkmsutil -getkpkid
nbkmsutil –ksstats
Recover a Deleted Key:
nbkmsutil -recoverkey -keyname tech_talk_demo_key -kgname ENCR_kms_pool -tag 91dd7d476aa2e328c6ba6df5cde68dd09536d25ed5dbbcfe28c57f63480bc461
Create key:
nbkmsutil -createkey -keyname <keyname> -kgname <kg name> -activate
Recover KMS by regenerating the data encryption key:
You can regenerate the complete KMS database by regenerating the data encryption
keys. The goal is to create a brand new empty KMS database and then repopulate
it with all your individual key records. (Must NOT use auto gen pass phrase for this)
nbkms -createemptydb
nbkmsutil -createkg -kgname ENCR_kms_pool << Extra step not in manual
nbkmsutil -recoverkey -keyname tech_talk_demo_key -kgname ENCR_kms_pool -tag 91dd7d476aa2e328c6ba6df5cde68dd09536d25ed5dbbcfe28c57f63480bc461 (kmsttphrase)
nbkmsutil -modifykey -kgname ENCR_kms_pool -keyname KMS_TT -state active
KMS Logging
OID 286
Bptm log
Old Master server
shutdown NBU services
backup/copy KMS directory (usually contain "db" and "key" directory)
New Master server
Verify NBU Master server software is installed
Paste your KMS backup/copy on directory path
On Services, start "Netbackup Key Management Service"Hope this answers your query rookie11
Thanks,
