10-25-2023 06:07 AM
Hello, I need to restore virtual machines located on tape media that was encrypted with KMS. We have the following files available ...
db\KMS_DATA.dat
key\KMS_HMKF.dat
key\KMS_KPKF.dat
Is it true, that those files just need to be copied to the right place (the question is where is this place on a NetBackup server running on a Windows Server system?) and the 'NetBackup Key Management Service' needs to be started or are there other things to be considered?
Thanks in advance for any reply.
Solved! Go to Solution.
10-25-2023 07:24 AM
Hi @Didi7
Guidance can be found in Veritas NetBackup™ Security and Encryption Guide
If you have made backup copies of the KMS_DATA.dat, KMS_HMKF.dat, and KMS_KPKF.dat files, it is just a matter of restoring these three files. Then startup the nbkms service and the KMS system will be up and running again.
https://www.veritas.com/content/support/en_US/doc/21733320-127424841-0/v21635120-127424841
On Windows the location is :
\Program Files\Veritas\kms\db\KMS_DATA.dat
\Program Files\Veritas\kms\key\KMS_HMKF.dat
\Program Files\Veritas\kms\key\KMS_KPKF.dat
10-25-2023 07:24 AM
Hi @Didi7
Guidance can be found in Veritas NetBackup™ Security and Encryption Guide
If you have made backup copies of the KMS_DATA.dat, KMS_HMKF.dat, and KMS_KPKF.dat files, it is just a matter of restoring these three files. Then startup the nbkms service and the KMS system will be up and running again.
https://www.veritas.com/content/support/en_US/doc/21733320-127424841-0/v21635120-127424841
On Windows the location is :
\Program Files\Veritas\kms\db\KMS_DATA.dat
\Program Files\Veritas\kms\key\KMS_HMKF.dat
\Program Files\Veritas\kms\key\KMS_KPKF.dat
10-25-2023 10:38 AM
Hi Nicolai,
it really was as simple as that. Restores from encrpyted media is possible now. I read about it in another thread but nothing was mentioned about the path for the KMS files within a Windows Server environment.
Thank you for your prompt answer.
10-26-2023 12:48 AM
Hi @Didi7
Glad I could help.
Word of advice. Pls make sure you protect (backup) the KMS files or the pass phrases KMS keys were generated by on a medium NOT encrypted by KMS. Else you truly have a catch 22
10-26-2023 01:19 AM - edited 10-26-2023 01:21 AM
Hello Nicolai,
KMS files, passphrases and the likes are safely protected on different systems and several times on tape media and even on USB sticks in a professional safe.
I assume KMS files don't change, as long as you do not change any passphrases?
The above mentioned server is just for restore purposes.
In the meantime I could successfully restore 3 VMs from 3 different encrypted tapes.
Regards