Solved: Backing up KMS database

SteveLaw · ‎07-09-2015

We have tape encryption setup using KMS on Netbackup 7.5.0.6, The master server is Win2008 R2. I'm looking at the best way to backup KMS.

We plan to keep a paper copy of passphrases and key tag IDs so we can recreate the database entirely from scratch in a DR scenario. But we also want to perform regular backups of the database and host and key protection key files.

We can't backup the database to encrypted tape, because we'd need the keys to decrypt them. However if we back them up to tape using a dedicated media pool without encryption then we might as well not bother with the encryption because the keys would be available if the tapes fell into the wrong hands. Therefore backing them up to tape seems pointless. We first stage our backups to Data Domain, one local and one on a remote site replicating to each other. So regular backups to Data Domain seems the best approach.

Does that seem sensible?

A question about the "nbkmsutil -quiescedb" command. It sets the key database into a read-only state, does that mean that the only actions you can't perform are create or modify keys, key groups etc? I can setup a series of events using our scheduling tool to do the following:

1) run "nbkmsutil -quiescedb"

2) start a backup of the three KMS files to Data Domain

3) When backup completes run "nbkmsutil -noquiescedb"

I'm concerned that the backup may take some time to complete because we often have many backups queued up overnight. But as I understand it the quiescedb command won't affect normal tape writes and reads - it only prevents actual config changes to the keys such as create or modify. So it wouldn't matter if the keys were quiesced for several hours. Am I right?

Thanks

sdo · ‎07-09-2015

I second this.

There's a short simple script here to generate a random pass-phrase:

https://www-secure.symantec.com/connect/forums/how-backup-kms-files

...then make sure to make a note of it - and keep it safe.

Laser carbon slides off paper after a few years. So does pencil graphite. Felt-tips fade or bleed, and so does cheap ink. You need good quality paper, and good quality pen and ink - to avoid a stink... when the pass phrases become illegible. Get the paper copy triple checked. If just one character is wrong, then you'll never be able to restore.

View solution in original post

mph999 · ‎07-09-2015

If you're not making config changes to KMS, I don't see an issue.

What you could do, is have a script, bp_start_notify script that

nbkmsutil -quiescedb

cp <files> <some dir>

nbkmsutil -noquiescedb

... where the backup policy backs up the <some dir>

That way, the quiesce is just for a brief moment.

sdo · ‎07-09-2015

Yes, your first three points are sensible.

Yes, quiesce-ing only prevents modifications, and does not prevent continued use of the keys. So it won't matter if the KMS database is quiesced for some time.

.

Unix steps to save a copy of the KMS db files:

nbkmsutil -ksstats
nbkmsutil -quiescedb
nbkmsutil -ksstats

cp -v /usr/openv/kms/db/KMS_DATA.dat  /tmp
cp -v /usr/openv/kms/key/KMS_HMKF.dat /tmp
cp -v /usr/openv/kms/key/KMS_KPKF.dat /tmp

nbkmsutil -ksstats
nbkmsutil -unquiescedb
nbkmsutil -ksstats

.

A really simple Windows DOS/batch script to save the KMS db files:

@echo on
setlocal enabledelayedexpansion

nbkmsutil -quiescedb

copy "C:\Program Files\Veritas\kms\db\KMS_DATA.dat"   "D:\NBU-KMS-BACKUP\KMS_DATA.dat"
copy "C:\Program Files\Veritas\kms\key\KMS_HMKF.dat"  "D:\NBU-KMS-BACKUP\KMS_HMKF.dat"
copy "C:\Program Files\Veritas\kms\key\KMS_KPKF.dat"  "D:\NBU-KMS-BACKUP\KMS_KPKF.dat"

nbkmsutil -unquiescedb

exit /b

.

Let me know if you want a more robust script with error handling, and one which will always try to unquiesce even if there's an error copying the files.

jim_dalton · ‎07-09-2015

Copy the keys to /tmp? Not sure about that!

Yes it makes sense to copy them elsewhere (how about your DR site, and/or another server, and/or a file server and/or your yahoo account?.You choose). Then delete the intermediate copies.

You will need these files in order to DR your netbackup environment so each time you modify, you need to re-copy. Hopefully not too often. Without them, life can become hard or even impossible to recover data. Paper copies can burn, become illegible, fade etc etc.

Jim

mph999 · ‎07-09-2015

A very good idea is to use keys generated by passphrase, that way, in the event of a real issue they can be recreated. ust keep a copy of the passphrases somewhere safe, eg, in a safe, under your pillow etc ...

sdo · ‎07-09-2015

Good points about /tmp... and burn - or even reaching smoke/smoulder point in a fire safe. I've heard of sites where they stamped the KMS key pass-phrase on to metal dog tags - they knew the non-paper contents of a fire-safe would probably survive.

sdo · ‎07-09-2015

I second this.

There's a short simple script here to generate a random pass-phrase:

https://www-secure.symantec.com/connect/forums/how-backup-kms-files

...then make sure to make a note of it - and keep it safe.

Laser carbon slides off paper after a few years. So does pencil graphite. Felt-tips fade or bleed, and so does cheap ink. You need good quality paper, and good quality pen and ink - to avoid a stink... when the pass phrases become illegible. Get the paper copy triple checked. If just one character is wrong, then you'll never be able to restore.

VOX

Backing up KMS database