10-09-2014 06:07 PM
Solved! Go to Solution.
10-13-2014 03:32 AM
I would agree with your summary.
KMS allows auto-generation or generation via pass-phrase. You cannot supply your own keys.
You can backup the DB files that stores the keys so this is fine for DR - this is all covered in the Security and Encryption guide (quiesce the DB first, then backup the files)
It is recommened to use pass phrase to generate the keys, this way, even if they are lost, if you use the same pass phrase then you can regenerate the same keys. Auto generation does not allow this, so if you lost the keys, you are in a lot of trouble.
10-09-2014 11:22 PM
If the library is capable of encryption, then KMS is not required, check with the library vendor.
NDMP backups could be encrypted, yes.
If the libray can do encryption, then keys would be managed from the library.
KMS is simply another way of managing keys - you may find it easier than using the library.
LTO4 and above supports encryption.
For NBU KMS version info, chcek the compatability guide. NBU 7.0 and above.
10-10-2014 12:32 AM
10-10-2014 01:00 AM
As I was taught ...
Encryption is easy, it's the key management that gets you ...
10-10-2014 05:18 PM
Hi Guys,
We have TS3200 tape library with Transparent LTO Encryption licenses. We also have Symantec NetBackup 7.5 running in our environment. Our requirement is to encrypt NDMP backups which are triggered from NAS filers.
So, if my understanding is correct it is like this...
Our first option would be, to use the keys provided with Tape library to encrypt the NDMP backups. That way Symantec KMS is not need (required) and managing the keys should be done from Tape library web interface.
Option two would be to use Symantec KMS to manage encryption keys. That way I would be able to import the keys in the tape library or else I would be able to provide keys either via auto-genaration or by manual means, to the tape library to do the encryption. That way, Symantec KMS makes management of keys and rotation of keys easier.
Please correct me, if I am wrong.
Finally, there is a question on how to protect the keys assuming that we are using Symantec KMS to manage our keys? Will catalog backup include the keys we used for hardware based (library based) encryption? Or is there any other way that we can use to backup the keys that we used for encryption?
Thank you in advanced.
10-13-2014 03:32 AM
I would agree with your summary.
KMS allows auto-generation or generation via pass-phrase. You cannot supply your own keys.
You can backup the DB files that stores the keys so this is fine for DR - this is all covered in the Security and Encryption guide (quiesce the DB first, then backup the files)
It is recommened to use pass phrase to generate the keys, this way, even if they are lost, if you use the same pass phrase then you can regenerate the same keys. Auto generation does not allow this, so if you lost the keys, you are in a lot of trouble.
10-13-2014 06:06 AM
Hi mph999,
According to what you have mentioned, if backup key database files then, we recover from a disaster. I mean suppose, we lost our Symantec Netbackup Master and Media server due to some reason. If we have been using pass phrases to generate keys then, after reinstalling same NB software we can regenerate the same keys so that we can decrypt whatever the backups that we had encrypted before.
Alternatively, we can achieve the same if we can resotore NB Key database files after reinstalling NB in a server.
Please confirm; I mean kindly correct me, if I am wrong.
Thank you.
10-13-2014 06:10 AM
Yes, that is correct.
You can backup the DB files and restore (to a none encrypted pool of course) or re-generate the same keys by using the pass-phrase option.
M