I hope this helps others, I just spent the last 2 weeks searching around trying to find this answer. Here are steps to verify KMS encryption on tapes with NetBackup 7.5; Find the jobs on a particular tape you think may be encrypted; /usr/openv/netbackup/bin/admincmd/bpimmedia -L -mediaid <media name> get the "Backup-ID" in the first column then run; /usr/openv/netbackup/bin/admincmd/bpimagelist -backupid <Backup-ID> -L | grep "Flags:" if tape is encrypted with KMS this will display; " Flags: 0x40 (Tape Encrypted)" and if tape is NOT encrypted this will display; " Flags: 0x0"

Hi Mike, I JUST learned there's a defect in bpimmedia which you might be hitting. This entry is in the 7.5.0.4 Release Notes (page 48): Etrack Incident: 2826378 ■ Description: A missing Key Management Server tag in the bpimmedia output has been added. NetBackup 7.5.0.4 Release Notes http://symantec.com/docs/DOC5514 Is there any chance you could apply 7.5.0.4? (If not, there may be an EEB available under Etrack 2793446 depending on which version you're at.) I believe your "0" will change to a real tag after that, which would make a little more sense, now that I think about it...

Many tape libraries also detect the encryption via the firmware and when you view the media in the tape library web GUI it also reports which tapes are encrypted Hope this also helps

Did none of the procedures listed in this TechNote work for you? How to verify KMS encrypted the backup http://www.symantec.com/docs/TECH127166 (Did you know this TechNote existed?) There's also this TechNote based on pages 324-325 from the Encryption Guide: Example of verifying an encryption backup http://www.symantec.com/docs/HOWTO46852 Symantec NetBackup 7.5 Security and Encryption Guide http://www.symantec.com/docs/DOC5185

Chris, This is what took me 2 weeks to wade through, and in the TechNote (TECH127166) you provided . OPTION 1 Was not great (Since I had the KeyGroup / Key / Pool and Policy all called ENCR_tmp), until I looked further down in the output from "bpimagelist" command and seen the light. OPTION 2 shows me "0" for the "Encryption Key Tag" in the GUI, this is what made it so difficult to track down. OPTION 3 I had also found a different TechNote that had a different suggestion of removing the Key and try the restore, but again the TechNote had notes saying output should look like this "blah..blah..blah.., and that is not what I see :-( and as far as HOWTO46852 again it points me to OPTION 2 above :-( and of course pages 324-325 from the Encryption Guide are the same as OPTION 2 above. Are you seeing why it took me 2 weeks to track this down.. to verify. Regards, Mike.

Mark, Thanks for the feedback.. as you say "Many tape libraries" detect encryption, mine does not fall into the Many catagory. Regards, Mike

Forum Discussion

MikeSB

Level 3

12 years ago

Verify KMS Encryption NetBackup 7.5

I hope this helps others, I just spent the last 2 weeks searching around trying to find this answer.

Here are steps to verify KMS encryption on tapes with NetBackup 7.5;
Find the jobs on a particular tape you think may be encrypted;
/usr/openv/netbackup/bin/admincmd/bpimmedia -L -mediaid <media name>
get the "Backup-ID" in the first column
then run;
/usr/openv/netbackup/bin/admincmd/bpimagelist -backupid <Backup-ID> -L | grep "Flags:"
if tape is encrypted with KMS this will display;
" Flags: 0x40 (Tape Encrypted)"
and if tape is NOT encrypted this will display;
" Flags: 0x0"

CRZ
12 years ago
Hi Mike,

I JUST learned there's a defect in bpimmedia which you might be hitting. This entry is in the 7.5.0.4 Release Notes (page 48):

Etrack Incident: 2826378
■ Description:
A missing Key Management Server tag in the bpimmedia output has been added.

NetBackup 7.5.0.4 Release Notes
http://symantec.com/docs/DOC5514

Is there any chance you could apply 7.5.0.4? (If not, there may be an EEB available under Etrack 2793446 depending on which version you're at.) I believe your "0" will change to a real tag after that, which would make a little more sense, now that I think about it...

15 Replies

MikeSB
Level 3
12 years ago
Chris,

It now works as advertised!!

Thanks for the feedback.

Regards,

Mike
CRZ
Level 6
12 years ago

I'm just sorry I couldn't tell you this two weeks ago!
RReyes76
12 years ago
Hello To all,

I got this same issue with the KMS and I applied the service maintenance 7.5.04 and I still have this issue related with the "0" result on the the Encription Key tag Gui, so in my case updating to this latest maintenance pack didn't work, I have already opened a ticket with Symantec support but so far no help was provided, what else can be done to resolve this issue?

in case that any screen shot needs to be uploading for more reference please let me know.

thanks in advance for any help you could provide
MikeSB
Level 3
12 years ago
RReyes76,

Did you test some of the other steps in the Tech Docs above, to verify you really are setup for encryption, first test is the commands I had listed in this original thread, should also work in Windows (except the grep command)

and the 2nd thing to test is outlined in the TechDoc Chris had first posted, it involved deactivating the KMS key (do not delete) and test a restore, if restore still works, then for some reason your KMS install is not fully setup.

Let me know if you need the Step by Step for the KMS setup.

Regards,

Mike.
CRZ
Level 6
12 years ago
Windows GUI may still be an issue even at 7.5.0.4. Tell your TSE you think you may need the EEB listed under Etrack 2962480 and send them your screen shot.

Forum Discussion

Verify KMS Encryption NetBackup 7.5

NetBackup 7.5.0.4 Release Notes
http://symantec.com/docs/DOC5514

15 Replies

Related Content

configure NetBackup Client Encryption Option

Encrypt Oracle RMAN Backup with NetBackup

Netbackup Appliance Encryption

Question on NetBackup and Hardware Tape Encryption

Key Management Service (KMS) encryption

Recent Discussions

command: bperror

MS-SharePoint policy restore error (2804) .

How to restore a backup

How to configure RBAC

10 years old netbackup appliance database service down, ssl certification out date