cancel
Showing results for 
Search instead for 
Did you mean: 

Backed file not showing in restore window/KMS passphrase issue

AnandhaKannan_D
Level 4

Base of my issue is for certain period(2017 to Jan 2018) not able to browse the backed files for the selected dates to perform the restore.

When checked, for that certain period(2017 to Jan 2018) client files & .f files are missing in /openv/netbackup/db/images/ directory. So planned to perform the media import but there we had KMS issue i.e for that certain period((2017 to Jan 2018) the passpharse for the keytag used was different and also we lost it if we want to recover and activate the key group & tag.  My queries here is

  1. If I deploy new master server by restoring the catalog which was taken before Jan 2018. Will I able to do the restore for those periods?
  2. What if I restore the client files & .f to the directory /openv/netbackup/db/images/ from my previous(i.e before Jan 2018) catalog backup to current NB master server. As its being same master server which had the record of previous KMS database, will it can be able to restore the data without any issue ?
  3. I have the backup of KMS_DATA.dat, KMS_HMKF.dat,KMS_KPKF.dat which was taken before Jan 2018 if I place this file in the respective directory of my current NB master server, will it work and can able to do the restore ?

 

5 REPLIES 5

pats_729
Level 6
Employee
Hi anandhakannan

Sorry to know the situation you are going through. Here are answers to your queries

1. Catalog backup does not backup KMS files. So it's of no use to perform catalog recovery.
2. If you have catalog backup from the date you mentioned then you can try just restoring .f files. Hope your catalog backup isn't KMS encrypted.
3. Can't comment on your KMS configuration. KMS is something you need to backup seperatly and frequently as you add new keys to it. If you know you were practicing it all way long then no harm replacing files (don't forget to backup current files first).
Hoping for a speedy recovery. All the best.

Hi @AnandhaKannan_D 

My suggestion would be to use a combination of 2 & 3. This assumes that the backup image information is still in the NBDB (i.e. a bpimagelist of the backupid returns information). If this is the case, then you can use the catalog backup from Jan 2018 to recover the .f files missing. 

Once this is done you still have the issue of the KMS keys changing, but as you have the KMS database from that time, you can temporaily switch it over to perform the recovery. Remember to backup the current keys before you do this (as suggested by @pats_729). Also I would strongly suggest you prevent any KMS enabled backups running while you are performing the recovery operation.

One final point, you should really be retaining the KMS keys for the life of the backup data (so it is possible to perform a restore). In the past this was more difficult due to the limited number of keys available (use to be 10 I think) but the limit has increased to 30 so this should be less of an issue now.

We have another complication

2017 to 2018, certain backups encrypted with the key tag (ABCDE) and for this we have lost the passphrase. For testing recently recreated the same key tag(ABCDE) and given different passphrase and few recent backups are now encrypted with key tag (ABCDE) but with new passphrase we given.

  • Let us assuming I got the lost passphrase which was used in 2017 to 2018 and now the key tag(ABCDE) created with the lost passphrase and I can able to do the restore of 2017 to 2018 backups. Now query is what if I want to restore the recent backups which got encrypted with the different passphrase but with same key tag(ABCDE).
  • As per my knowledge, I hope every time I have to create the key tag(ABCDE) with the passphrase which require for restore of 2017 to 2018 and for recent backups. Is there any other way to have both passphrase recorded  key tag (ABCDE) in the master server or is there any option to migrate or merge the key tag to which was created with two different passphrase to restore all my backups encrypted using same key tag (ABCDE) ?

If you have lost the pass phrase no way can help you to recreate the keys.
KMS always looks for passphrase and its salt value (encrypted version of passphrase). If either of this isn’t matching then it’s not going to help

I hope you already have a look at the kms recovery procedures

https://www.veritas.com/support/en_US/doc/21733320-127424841-0/v21635134-127424841



Nicolai
Moderator
Moderator
Partner    VIP   

You need to know passphrases for 

  • passphrase for the Host masker Key (HMK).
  • passphrase for the Key Protecting Key (KPK)
  • a passphrase for the Key Tag

in order to restore anything historical. If missing just one of the passphrases, data will remain encrypted for ever. Re-creating a key tag with a new passphrase will not restore the historical data.

With regards to restoring data with a current and historic key, take a look in the security and enryption guide about "Overview of key record states".

https://www.veritas.com/content/support/en_US/doc/21733320-139202231-0/v21635047-139202231

The key state of depecrated is what you want for historical key states needed to do restore, but not encryptions