VOX

2) Yes, no cost, assuming you have license coverage already for all of your tape drives.

3) I've never had to install a license on an HP library to enable KMS - but takes Riaan's advice and ask the vendor.

6) I've heard it said that there's about a 1% performance/throughput/efiiciency hit/detriment from enabling KMS.  In short you probably won't notice.

Agree with Riaan answers except

2: This is a YES. KMS is part of the NBU base license.

From my experince on KMS, is very easy to use and transparent in operation.

Here are two tech notes I think you will find interesting:

How to verify KMS encrypted the backup

http://www.veritas.com/docs/000006206

How to Export and Import Encryption Keys Using the NetBackup KMS

http://www.veritas.com/docs/000009714

However one work of warning. Don't rotate encryption keys (if at all) faster than the retention of the longest backup. Else you may end up handling encryption keys in excel - switching forth and back keys, restore errors because of incorrect KSM key and having to stop and start Netbackup every time.

Thanks folks,

Another set of queries popped up in my mind.

7) Is KMS encryption possible for disk-based backup too? Or just only tape-based backup as this is only Volume-pool based and T10 complaint tape-drives based ?

8) I go through the page no.270/271 point "About installing KMS with HA clustering", its' referring to Optional packages and services related to them, is this a mention of KMS as a package here ?

And if we do not enable monitoring of KMS services, then that means if an issue happens with this KMS service in future, then NetBackup will not failover to other node and will remain there only in failed state ?

And if an issue happens with any other service in future, then NetBackup will failover to another node with all its other services except KMS ?

Please clarify above point in detail please.

9) Since we run below command in "bin" directory to create KMS DB, then how it gets installed on shared drive (J:\  is shared drive in our case  for catalog use by both the nodes) ?

In our case, our installation path is E:\ drive on both the nodes. The concern here is if I do initial configuration of KMS on E:\ drive on one active node, then how these settings and configuration get mapped to another passive node?

C:\Program Files\Veritas\NetBackup\bin\nbkms -createemptydb  

10) GRT, as per below tech-note, is not possible using any encryption option, be it Client, MSEO or KMS. Does this also include GRT for VMware backup types too or just the Exchange ?

https://www.veritas.com/support/en_US/article.000071421

Please confirm if we can restore a single file from VMware backup (GRT) encrypted with NetBackup KMS.

7. No

8. That refers to Unix/Linux where the NetBackup installation is/was more modular

9. NetBackup is cluster aware so it will know that your KMS folder is located on J:\.

10. That statement refers to Granular Recovery (Exchange, AD, and SPS) and not VRAY that is used for VMware.

7) Yes KMS can be enabled for Advanced Disk:

https://www.veritas.com/support/en_US/article.DOC5149

.

9) Just a side-line piece of advice... try very very hard not to run commands whilst in the bin folder... one piping or pasting goof and you've broken NetBackup.  Instead setup 'paths' at the OS CLI / shell layer.

.

10) The tech note actually says this:

When the Encryption attribute is enabled, the server encrypts the backup for the clients that are listed in the policy. NetBackup does not support GRT for any backups that use encryption.

...which is refering to whether 'encryption' is enabled on the backup policy, i.e. to use client side encryption.  NetBackup KMS encryption is abstracted from client and server comms - i.e. the backup client does not know whether the backup is encrypted or not.  I very much suspect that GRT can still be used (for copies made to tape (other GRT/tape feature limitations notwithstanding)) even if NetBackup KMS has been deployed at the tape back-end.  Remember, NetBackup KMS encryption is not enabled at the policy level (by selecting policy attribute for encryption)... instead NetBackup KMS is implemented at the volume pool level.

7. Interesting. Thanks SDO

Thanks Riaan.

If you are saying that the NBU is cluster aware, do you mean to say that if I run the "createemptydb" command on E:\ drive path, then KMS DB/folder will get created on J:\ drive automatically ?

@sdo:-

But if I talk specifically about GRT for exchnage, then tape doesnt come into picture at all and there MUST be a disk at the other end, and if so, then does KMS on a basic disk is supported ?

I have read about KMS on NBU Adv.Disk though, nowhere it is mentioned about basic disk-based backup.

Again, KMS has been, everywhere, flagged as an encryption solution with a TAPE which is T10 complaint, then how the Adv.Disk has been coming into picture ?

When you are on the E: drive and issue a command is doesn't just do things on the E: drive.  The command you are running as a direct binary may itself exist on the E: drive, but this has no baring on what it might read/write on any other drive.

No NetBackup KMS for NetBackup Basic Disk.

You can still duplicate your GRT aware backup images to KMS encrypted tape - but as you know, you won't be able to perform a GRT restore frrom tape (whether encrypted on not) - but you can still perform a GRT restore if you retain a copy (as primary copy) of the backup image on disk for however long you can/should.

Not sure how KMS works deep down for Adv.Disk - but if the manual says it works, then it should work.  Maybe do a POC for yourself?

As SDO said, you just the command, it will know where the location of KMS is because it will refer to the registry. When you performed the cluster installation a whole bunch of folders got moved to the J drive, and the registry was updated. Any folder that should be shared i.e one that contains data (EMM databases, catalog, etc) are put on shared so its available after failover.

My guess

AdvancedDisk is OST based, I dont't think the basic disk is.

When you activate KMS for advanced disk you copy a OST plug-in that enabled the encryption. That also means the KMS encryption on advanceddisk will take away a lot of CPU cycles. On tape its taken care in the tape drive.

Before enabling KMS on disk, please think about the following statement:

If original data and backup data reside in similar security zones, does it make sense to secure backup data more than original data ?

It does work on Adv Disk - I tried it a few months back ...