cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

KMS and Key Retention Policies

Go to solution
terryd3
Level 4

‎04-05-2016 05:53 AM

I am going to setup KMS in NetBackup 7.7.2.  I understand how this works and have successfully tested backups and restores to a DR site.  My question is with the retention periods on the keys.  I want to encrypt my offsite duplicated tapes only.  The daily jobs have a 2 month retention, weekly 2 month, monthly 13 months, and yearly 2 years.   Should I create multiple keys for one keygroup, and set all but one to prelive, and one to active?  Can someone give me examples of how this part works?  Is there always going to be manual intervention with the status of the keys? 

Thanks for any clarification on this.

0 Kudos
2 ACCEPTED SOLUTIONS

Accepted Solutions

Go to solution
jim_dalton
Level 6

‎04-05-2016 07:11 AM

You could use different volume pools for the backups Terry...this way you then have separate sets of keys and you can manage them as you wish , without the need to think about....which of these keys is the right key to decrypt backup X. You override the policy volume pool in the schedule. Should make things much simpler. Jim.

View solution in original post

0 Kudos

Go to solution
Michal_Mikulik1
Moderator
Moderator
Partner    VIP    Accredited Certified

‎04-06-2016 12:41 AM

Hello,

yes there could be one key for all policies/duplication (more precisely, for all volume pools used by them), or you can have diffferent keys for individual volume pools.

I think the key rotation is rather about security best practices. Consult this with a management or with somebody responsible for data security.

Regards

Michal

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
jim_dalton
Level 6

‎04-05-2016 07:11 AM

You could use different volume pools for the backups Terry...this way you then have separate sets of keys and you can manage them as you wish , without the need to think about....which of these keys is the right key to decrypt backup X. You override the policy volume pool in the schedule. Should make things much simpler. Jim.

0 Kudos

Go to solution
terryd3
Level 4

‎04-05-2016 12:48 PM

Thanks Jim.  I like the idea of different volume pools.  What is the purpose of rotating keys, or do you even have to?  Can I just create one key for each policy and use that key only?

0 Kudos

Go to solution
Michal_Mikulik1
Moderator
Moderator
Partner    VIP    Accredited Certified

‎04-06-2016 12:41 AM

Hello,

yes there could be one key for all policies/duplication (more precisely, for all volume pools used by them), or you can have diffferent keys for individual volume pools.

I think the key rotation is rather about security best practices. Consult this with a management or with somebody responsible for data security.

Regards

Michal

0 Kudos