VOX

Nicolai, thanks for this. However rotation can be moving a key from active to inactive after a shorter period than the longest retention as this will still enable restores. I was thinking a customer  could say keep keys active for say 3 months and inactive for say a further 9 months so restores will work for a year. After that keys could be deprecated or deleted, but would have to be imported or recreated to restore data.

Also this would require a minmum of 4 keys per key group or, if they wanted to keep 7 years of keys online, a total of 28 keys - i.e. just below the key group maximum of 30 keys. 

I’m just wondering what customers actually do and what is regarded as good practice.

BR Andrew  

Hello,

I have set up KMS probably 3 times and we always used one persistent strong key, so there were no rotation periods. I see there could be environments where some rotation is required - IMHO parameters of this is a question for Security Officer/Admin, not NetBackup Admin.

Regards

Michal

@pyesdebe

There is no wrongs and rights below - it is just my view :)

1: And it's the adding and removing of keys I don't like. Removing a key - and loosing it, means you just lost a hole bunch of backups. Call me chicken :)

2:You could do this, but a ENCR_ volume pool, point to a key group. This mean you besides rotating encryption key also has to change volume pool/create new volume pools in the policy to change key groups. Just imageing having 60-100 policies in a large configuration.

@Michal_Mikulik1, Thanks for this. I think many customers do want to change the active key periodically, I guess we just need to be careful how it is done. Also I'd be rather concerned that a security officer or auditor may give a blanket answer that is not technicaly feasible e.g. "change all keys for new and existing backups every 6 months or on demand if a key is compromised". (I've heard a security consultant say GDPR requires deleting specific files from ALL backups - the conversation then went sonething like: "We've got 5,000 tapes, how would you do that, Mr Security Consultant?" "I don't know, that's your problem Mr Backup Admin").

@Nicolai, Thanks also. Yes I understand deleting a key creates a potential risk of data loss. However as I see it, the customer can change the active key within a key group without having to change volume pools or policies etc.

Anyway it doesn't sound as if there is a concensus on good practice here but thanks for the feedback on what customers have been doing. BR Andrew

@andrew_mcc1  Agree, but if the frequency of keys exchange is too high and the retentions level is long, one key group with 10 keys is not going to last

With regards to GDPR data and the right to be forgotten:

I recommend using a 3 to 6 month retention period for GDPR data. GDPR data deletion does not have to be instant. A 3 to 6 month retention before GDPR data is off backups can be defended. However - again in my view - long retention is not defendable in a GDPR trial. There are simply no effective controls.