Forum Discussion

rookie11's avatar
rookie11
Moderator
8 days ago

Netbackup KMS

hi Guys, 

kindly educate me - At one of remote site our NBU server was short circuit. Rebuild done after 6 months and handover to backup guys on friday(27sept). We need to install NBU on it, it had tape backups with KMS encryption (i had documentation available).

In 2019 -- NBU 8.1 was installed on window OS (hardware) + HP tape TL, KMS was configured( this encryption feature is free) then in year 2020 we upgraded NBU to 8.3.1. Cut to 27sept 2024 - i have to reinstall NBU - rebuild KMS and try to restore finance data. What NBU version should be installed --- 8.1 or 8.3.1 --  kindly educate me. [i cannot go to netbackup support] 

  • The Catalog backup does not include the KMS database.

    As per the security and encryption guide, to recover KMS you need to have exported the KMS DB and then backed up the files/ copied somewhere safe - this is a Technote on the subject.

    https://www.veritas.com/support/en_US/article.100053622

    Alternatively, if you have the nbkmsutil -listkeys output this displays all the kg names, the key tag and if applicable at 8.1 / 8.3 the salt value.  The keys can then be rebuilt if the key pass phrase is known (-recoverkey option).

    If there is no backup of the KMS DB or the key details are not known, it is impossible to recover - Veritas have no backdoor available (that would kinda defeat the point of encryption).

    To recover everything else from the catalog you have to reinstall at the same version that the catalog was taken from, so if you were at 8.3.1, you can only recover the catalog back to 8.3.1.

    I see you explain that you had documentation available, so it may be that you do have the required details re. KMS.

    However, I have assumed you are using NetBackup for KMS, you might not be - is it the case that the tape library is handling the encryption keys - so library based encryption ?  This should be much easier I think as it should just 'work', providing the tapes are in the same library.

    Just to avoid confusion:

    Tape drives have the ability to do hardware encryption, I'm guessing you have LTOx as these are by far the most common.

    There are two choices for KMS:

    NetBackup handles the keys
    The tape library handles the keys

    From the tape drive side of things, it is the same, it gets a key to encrypt /decrypt, the only difference is who is suppling the key.

    Actually, there might be a 3rd option, eKMS (external KMS) where the keys are managed by some 3rd party application - certainly this is an option for MSDP to create an encrypted disk pool, but I've never seen it used with tape, hence why I'm not sure - StefanosM /davidmonline, do you know out of interest ?




    • StefanosM's avatar
      StefanosM
      Level 6

      from my experience,
      HP libraries use internal KMS and keep the key to a USB stick. You have to buy the license and a pair of USB keys)
      IBM libraries use external IBM KMS server to handle the keys. 
      DELL has re branded IBM libraries so they do the same 

      And I remember that there is an option to enable the backup of KMS with netbackup catalog. But I can not find this info now

  • It is unclear to me if he has a catalog backup to restore and if the catalog backup is configured to include the KMS database.

  • If the server was a simple media server then do as StefanosM suggests. If it was the master server (ie. a standalone domain), then you may want to rebuild using the same version (8.1) and look to recover the catalog. 

  • Go for version 8.3.1. 
    I hope you have all the necessary information to rebuild the KMS.