cancel
Showing results for 
Search instead for 
Did you mean: 

How to provide our own keys for KMS to encrypt data rather using auto-generated keys?

symanuser
Level 4

Hi,

I want to use our own set of keys with Symantec KMS to encrypt data (NDMP backups at tape drive level) and I want to rotate them manually (i.e. I will change keys time to time). How do I do it with Symantec KMS?

Thank you in advanced.

 

1 ACCEPTED SOLUTION

Accepted Solutions

mph999
Level 6
Employee Accredited

Hi Symanuser

In a nutshell you can't - KMS offers two possibilities, auto-generate keys or generate keys based on a pass phrase.

I wouldn't recommend auto-generating keys, as in the event of key loss, and backups of keys lost you can't regerate the same keys.  When configuring using a pass phrase, if you give the same pass-phase you can re-generate the same keys.

Martin

View solution in original post

4 REPLIES 4

mph999
Level 6
Employee Accredited

Hi Symanuser

In a nutshell you can't - KMS offers two possibilities, auto-generate keys or generate keys based on a pass phrase.

I wouldn't recommend auto-generating keys, as in the event of key loss, and backups of keys lost you can't regerate the same keys.  When configuring using a pass phrase, if you give the same pass-phase you can re-generate the same keys.

Martin

Nicolai
Moderator
Moderator
Partner    VIP   

As Martin states you can 't specify the encryption key, but you can specify the pass phrase that will generate a encryption key. I HIGHLY recommmend using known pass phrases.

You add a new key using  (sorry - no GUI) :

nbkmsutil -createkg -kgname key_group_name [ -descdescription ]

Just remember that its bad mojo to delete a encryption key while backup are still active.

Please note that KMS keys have diffrent states, prelived, active,inactive, deprecated and terminated. You will need mark the new encryption key as "active".

There are some good examples of kbkmsutil usage in this technote:

http://www.symantec.com/docs/TECH127166

sdo
Moderator
Moderator
Partner    VIP    Certified
8.2.1) Introduction ------------------- There are three methods of encryption for NetBackup: 1)      Client side           (but uses CPU, very bad for de-dupe, difficult to manage)           (if key is lost, can be regenerated from passphrase) 2)      KMS           (no additional CPU usage)           o   NetBackup KMS                using passphrases                (if keys are lost, can be regenerated from passphrases)           o   NetBackup KMS                using system generated keys                (if keys are lost, data is lost)           o   External KMS (either HP or IBM) (only matches certain drives)                (if keys are lost, data is lost) 3)      NetBackup MSEO           (but uses LOTS of CPU) (is this now a deprecated feature?)           (if keys are lost, data is lost) 8.2.2) NetBackup KMS Warning ---------------------------- The steps below are per NetBackup domain, i.e. this is not per media server, not per library, and independent of drive hardware vendor. KMS for HP LTO drives is different to KMS for IBM LTO drives.  NetBackup KMS works with both drive manufacturers. You will need to think of three strong pass phrases, which the encryption algorithms will convert into keys. N.B.  If you loose the keys, then access to data is lost...       ...N.B. the keys are NOT saved as part of the catalog backup...       ...but they can be re-created from the original pass phrases...       If you forget the pass-phrases then you will never be able to regenerate the keys.       Catalog backups to tape (when using NetBackup KMS) are normally always unencrypted (because there are usually written       to a volume pool named "Catalog_Backup", so catalog backup media can be stored with the encrypted backup media, because       the catalog backups only contain system and backup meta-data, and not actual business data. A quick note about recording the key-names AND pass-phrases. N.B. the key-name and the key itself are integral.  i.e. to restore encrypted data then whilst it is obvious that the key (and thus the pass-phrase need to be known), it is not so obvious that the key-name must also exactly match (note: match exactly, so spelling, casing, and any hyphens-underscores must match exactly). Consider this... LTO media are rated (in perfect storage conditions) to last for 20 years.  Ask yourself, will your record of key-names and pass-phrases still exist in 20 years time?  I recommended not printing them using ink-jet or laser printers, nor writing them down using a standard/cheap pen or biro - because all of these materials just won't last that long - the ink will fade, or in the case of laser printed text, after a few years the carbon mix will simply fall off the paper that it is printed on.  You need to think about the ink that lawyers, solicitors and registrars use - i.e. a high quality permanent ink that lasts for a lifetime (75 years plus). Also consider this... Your record of key-names and pass-phrases may need to last for 20 years after the last backup is saved.  For example, you may install a NetBackup environment that lasts 10 to 15 years.  So, your record of key-names and pass-phrases may need to last for at least 30 to 35 years - perhaps even longer.  Obviously don't save the key-names and pass-phrases on digital media, as they simply won't last either.  Scary huh!? 8.2.3) Before Configuring ------------------------- Tape media encryption is based around volume pools.  Volume pool names are sometimes loosely associated with retention, e.g. you may have a weekly backup media pool with a retention of one month, and maybe a monthly backup volume pool with a retention of one year or longer.  If you want to encrypt backups being written to a volume pool, then an encryption key group with a key-group-name exactly matching the volume pool name must be configured.  However, to get NetBackup to write encrypted tape media, then the volume pool name must being the five characters "ENCR_".  Thus, all encryption key-group-names must also begin with the same five characters of "ENCR_". If, for example, you are currently saving all monthly full backups to an un-encrypted media pool named "Monthly_7Years", then to encrypt these monthly full backups then you will need to do three things:      1) create an encryption key-group named:     ENCR_Monthly_7Years      2) create a new volume pool named:           ENCR_Monthly_7Years      3) change backup/SLP policies to use the new volume pool. 8.2.4) Configuring NetBackup KMS on Appliance Master or Master/Media -------------------------------------------------------------------- FYI - NetBackup KMS is not supported on any appliance master, or appliance master/media, before v2.6.0.1. Q) How would this be possible on v7.6.0.2, with no CLIsh root access ? support / maintenance / elevate # ...create the key database... nbkms -info nbkms -createemptydb                 passphrase         my-hmk-id                 passphrase         my-kpk-id nbkms -info nbkmsutil -gethmkid nbkmsutil -getkpkid ls -lash /usr/openv/kms/db ls -lash /usr/openv/kms/key # ...has the NetBackup KMS daemon started... ps -ef | grep -i nbkms # ...if not then start it with... Use NetBackup Java Admin Console, connect to master, the browse to Activity Monitor, and Daemons tab... ...and start the 'nbkms' daemon. # ...create the key group - N.B. the keygroup name MUST begin with the five character string of 'ENCR_' nbkmsutil -listkgs nbkmsutil -createkg -kgname ENCR_data nbkmsutil -listkgs # ...create the key: nbkmsutil -listkeys                  -kgname ENCR_data nbkmsutil -createkey -keyname my-key -kgname ENCR_data      ...will prompt for a pass phrase... nbkmsutil -listkeys                  -kgname ENCR_data nbkmsutil -modifykey -keyname my-key -kgname ENCR_data -activate nbkmsutil -listkeys                  -kgname ENCR_data nbkmsutil –ksstats # ...create a volume pool with a name exactly matching the key group name: vmpool -list_all -bx vmpool -create -pn ENCR_data -description "KMS encryption" vmpool -list_all -bx # ...in use... # Configure backup/SLP policy to use the new Volume group (i.e. it must begin with ENCR_). # Do not enable "encryption" on policy - as this is for client side encryption. # Run a test backup. # Confirm encryption, using images on media report. # below are the minimum steps to backup the NetBackup KMS key database: # ...ideally amend this to copy off-host and off-site... # ...when NetBackup KMS passphrases based keys are used... # ...then this only needs to be run when keys are added, changed, amended... # ...and does not need to be run after each backup session. nbkmsutil -ksstats nbkmsutil -quiescedb nbkmsutil -ksstats cp /usr/openv/kms/db/KMS_DATA.dat /tmp cp /usr/openv/kms/key/KMS_HMKF.dat /tmp cp /usr/openv/kms/key/KMS_KPKF.dat /tmp nbkmsutil -ksstats nbkmsutil -unquiescedb nbkmsutil -ksstats exit / exit / return 8.2.5) Configuring NetBackup KMS on Windows ------------------------------------------- (...whilst this step isn't relevant to an appliance, they are only included here purely for reference...) # ...create the key database... nbkms -info nbkms -createemptydb                 passphrase         my-hmk-id                 passphrase         my-kpk-id nbkms -info nbkmsutil -gethmkid nbkmsutil -getkpkid dir "D:\Program Files\Veritas\kms\db\" dir "D:\Program Files\Veritas\kms\key\" # ...ensure service starts with NetBackup... services.msc # ...and change "NetBackup Key Management Service" to automatic and start it, then check it is running with... net start | find /i "NetBackup" # ...create the key group - N.B. the keygroup name MUST begin with the five character string of 'ENCR_' nbkmsutil -listkgs nbkmsutil -createkg -kgname ENCR_data nbkmsutil -listkgs # ...create the key: nbkmsutil -listkeys                  -kgname ENCR_data nbkmsutil -createkey -keyname my-key -kgname ENCR_data      ...will prompt for a pass phrase... nbkmsutil -listkeys                  -kgname ENCR_data nbkmsutil -modifykey -keyname my-key -kgname ENCR_data -activate nbkmsutil -listkeys                  -kgname ENCR_data nbkmsutil –ksstats # ...create a volume pool with a name exactly matching the key group name: vmpool -list_all -bx vmpool -create -pn ENCR_data -description "KMS encryption" vmpool -list_all -bx     # ...in use... # Configure backup/SLP policy to use the new Volume group (i.e. it must begin with ENCR_). # Do not enable "encryption" on policy - as this is for client side encryption. # Run a test backup. # Confirm encryption, using images on media report. # below is a simple script to backup the NetBackup KMS key database: # ...ideally amend this to copy off-host and off-site... # ...when NetBackup KMS passphrases based keys are used... # ...then this only needs to be run when keys are added, changed, amended... # ...and does not need to be run after each backup session. @echo on setlocal enabledelayedexpansion nbkmsutil -quiescedb copy "C:\Program Files\Veritas\kms\db\KMS_DATA.dat"   "D:\NBU-KMS-BACKUP\KMS_DATA.dat" copy "C:\Program Files\Veritas\kms\key\KMS_HMKF.dat"  "D:\NBU-KMS-BACKUP\KMS_HMKF.dat" copy "C:\Program Files\Veritas\kms\key\KMS_KPKF.dat"  "D:\NBU-KMS-BACKUP\KMS_KPKF.dat" nbkmsutil -unquiescedb pause exit /b # to restore... copy "D:\NBU-KMS-RESTORE\KMS_DATA.dat"  "C:\Program Files\Veritas\kms\db\KMS_DATA.dat" copy "D:\NBU-KMS-RESTORE\KMS_HMKF.dat"  "C:\Program Files\Veritas\kms\key\KMS_HMKF.dat"   copy "D:\NBU-KMS-RESTORE\KMS_KPKF.dat"  "C:\Program Files\Veritas\kms\key\KMS_KPKF.dat"  

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified