cancel
Showing results for 
Search instead for 
Did you mean: 

Netbackup KMS on new master

rookie11
Moderator
Moderator
   VIP   

Hello All,

master  NBU 7.5.0.6 , win 2003 OS,4 NBU appliances 5220, all at same version 2.5, KMS currently enabled on master server as per technote http://www.symantec.com/business/support/index?page=content&id=TECH67972. passphrase saved on 2 different locations. I have to perform a hardware refresh of master server. New build master OS win 2008, NBU version will remain same. 7.5.0.6., keeping ip and hostname same as old master server. its basically catalog migration on new master server. 

Will configuration and database related to KMS would be migrated to new server if i perform catalog recovery properly or are there any additional steps to move KMS configuration to new master?

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

mph999
Level 6
Employee Accredited

Adding to the excellent answers so far - I put together a short 'how to ' doc for some colleagues.  Some of it is copy/ paste from the manuals, so really it is a summary with a simple example of how to set up.

The golden rule for encryption :

“Encryption is Easy, it’s the Key management that gets you everytime …”

In other word, lose you keys and you're stuffed ...  I've seen  100% of backups in an environment unrecoverable due to lost keys - and no. Symantec doesn't have a 'back door' to get them back - for that reason with KMS, use the pass phase method of generating the keys, and keep the passphrase(s) safe (like in a safe) so the keys can be recreated.  You can also back the keys up, don't do this to encrypted media for obvious reasons (yep, I've seen that too ...).

 

KMS

The nbkms service is a master-server-based service that provides encryption

keys to the media server BPTM processes.  (KMS will also work with Advanced Disk and Cloud backups)

 

 

KMS works with encryption capable tape drives. KMS is integrated into NetBackup

in such a way so as to eliminate difficulties in using NetBackup from a system

management perspective. KMS provides encryption key management for tape

drives with built-in encryption capabilities. These tape drives adhere to the SCSI

standard. A SCSI command enables encryption on the tape drive. NetBackup

accesses this capability through the volume pool name.

 

BPTM receives a request to write to a tape and to use a tape from a volume pool

with the ENCR_ name prefix. The ENCR_ prefix is a signal to BPTM that the information

to be written to tape is to be encrypted.

BPTM contacts KMS and requests an encryption key from the key group with a

name that matches the name of the volume pool.

KMS hands back to BPTM an encryption key and a key identifier (known as the

encryption key tag).

BPTM places the drive in encryption mode and registers the key tag and identifier

tag with the drive. This process is all done with the SCSI security protocol in or out

command that has been added to the SCSI specification.

The backup then proceeds as normal.

When the backup is complete, BPTM unregisters the key and tag with the drive

and sets the drive back into regular mode.

BPTM then records the tag in the NetBackup image record catalog.

 

Setting up KMS

 

nbkms -createemptydb

 

Enter a Host Master Key passphrase (hmk_pass_phrase)

 

The host master key contains the encryption key that encrypts and

protects the KMS_DATA.dat key file using AES 256. The host

master key is located at /opt/openv/kms/key/KMS_HMKF.dat.

 

Enter an ID (HMK_key)

 

Enter a Key Protection Key passphrase (KPK_pass_phrase)

 

A key protection key is an encryption key that encrypts and protects

individual records in the KMS_DATA.dat key file using AES 256.

The key protection key is kms/key/KMS_KPKF.dat. Currently the

same key protection key is used to encrypt all of the records.

 

Enter a KPK ID (KPK_Key)

 

Operation successfully completed

 

Start the KMS service by running nbkms

 

Create the key group. The key group name must be an identical match to the

volume pool name. All key group names must have a prefix ENCR_.

 

nbkmsutil -createkg -kgname ENCR_kms_pool

 

The ENCR_ prefix is essential. When BPTM receives a volume pool request

that includes the ENCR_ prefix, it provides that volume pool name to KMS. KMS

identifies it as an exact match of the volume pool and then picks the active key

record for backups out of that group.

 

Create a key record by using the -createkey option.

 

nbkmsutil -createkey -kgname ENCR_kms_pool -keyname teck_talk_demo_key -activate -desc "Keys for KMS Techtalk"

 

The key name and message are optional; they can help you identify this key

when you display the key.

 

Enter a pass phrase (tech_talk_demo_key_pass_phrase)

 

 

List Keys in the KeyGroup

 

nbkmsutil -listkeys -kgname ENCR_kms_pool

 

 

Symantec recommends that you keep a record of the output of the

nbkmsutil -listkeys command. The key tag that is listed in the output is

necessary if you need to recover keys.

 

Recover KMS by restoring all Data files

 

If you have made backup copies of the KMS_DATA.dat, KMS_HMKF.dat, and

KMS_KPKF.dat files, it is just a matter of restoring these three files. Then start up

the nbkms service and the KMS system will be up and running again.

 

nbkmsutil –quiescedb  - Required before coping KMS DB files

nbkmsutil -unquiescedb

 

 

Recovering KMS by restoring only the KMS data file

 

You can restore the backed up copy of the KMS data file kms/db/KMS_DATA.dat

by regenerating the KMS_HMKF.dat and KMS_KPKF.dat files with passphrases. So,

if you have written down passphrases for the host master key and key protection

key, you can run a command to regenerate those files. The system will prompt you

for the passphrase and if the passphrase you now enter matches the passphrase

originally entered, you will be able to reset the files.

To recover KMS by restoring only the KMS data file

 

1 Run the nbkms –resethmk command.

2 Run the nbkms –resetkpk command.

3 Start up the nbkms service.

 

Recovering KMS by regenerating the data encryption key

 

You can regenerate the complete KMS database by regenerating the data encryption

keys. The goal is to create a brand new empty KMS database and then repopulate

it with all your individual key records.

 

nbkms –createemptydb

(Start KMS)

nbkmsutil -createkg -kgname ENCR_kms_pool  << Extra step not in manual

nbkmsutil -recoverkey -keyname tech_talk_demo_key -kgname ENCR_kms_pool -tag 68ff5c10ce662d8bfd60159fb0e2fc8def26f42588190615b43c3821bb55259c   (kmsttphrase)

nbkmsutil -modifykey -kgname ENCR_kms_pool -keyname KMS_TT -state active

 

KMS Files

 

Key file or key database

Contains the data encryption keys. The key file is located at

/opt/openv/kms/db/KMS_DATA.dat.

 

Host master key

Contains the encryption key that encrypts and protects the KMS_DATA.dat

key file using AES 256. The host master key is located at

/opt/openv/kms/key/KMS_HMKF.dat

 

Key protection key

Encryption key that encrypts and protects individual records in the

KMS_DATA.dat key file using AES 256. The key protection key is located at

/opt/openv/kms/key/KMS_KPKF.dat. Currently the same key protection key

is used to encrypt all of the records.

 

Back up KMS files

If you want to back up the KMS files, the best practices should be followed.

Put the KMS database file on one tape and the HMK files and KPK files

on another tape. To gain access to encrypted tapes, someone would then

need to obtain both tapes.

 

Another alternative is to back up the KMS data files outside of the normal

NetBackup process. You can copy these files to a separate CD, DVD, or

USB drive.

 

DO NOT BACK THE FILES UP ON KMS ENCRYPTED TAPES

 

You can also rely on passphrase generated encryption keys to manually

rebuild KMS. All of the keys can be generated by passphrases. If you have

recorded all of the encryption key passphrases you can manually recreate

KMS from information you have written down. If you only have a few

encryption keys you generate this process could be short.

 

 

Key records:

 

Key records contain many fields but the primary records are the encryption key,

the encryption key tag, and the record state. Key records also contain some

metadata.

 

These key records are defined as follows:

 

Encryption key

This key is given to the tape drive.

 

Encryption key Tag

This tag is the identifier for the encryption key.

 

Record state

Each of the key records has a state. The states are prelive, active, inactive,

deprecated, and terminated.

 

Metadata

Metadata includes logical name, creation date, modification date, and

description.

 

Key groups

 

Key groups are a logical name and grouping of key records. All key records that

are created must belong to a group. A key group can only have one active state

key record at any time. NetBackup 7.5 supports 100 key groups. NetBackup 7.0

supported 20 key groups and NetBackup 6.5.2 supported two key groups. Only

10 encryption keys are allowed per key group.

 

Tape Drive Considerations:

 

To provide support for the T10 / SCSI standard tape drives with embedded

(LT04 and equivalent) encryption.

 

How is an encrypted tape written?

 

BPTM receives a request to write to a tape and to use a tape from a volume pool

with the ENCR_ name prefix. The ENCR_ prefix is a signal to BPTM that the information

to be written to tape is to be encrypted.

 

BPTM contacts KMS and requests an encryption key from the key group with a

name that matches the name of the volume pool.

KMS hands back to BPTM an encryption key and a key identifier (known as the

encryption key tag).

 

BPTM places the drive in encryption mode and registers the key tag and identifier

tag with the drive. This process is all done with the SCSI security protocol in or out

command that has been added to the SCSI specification.

 

The backup then proceeds as normal.

When the backup is complete, BPTM unregisters the key and tag with the drive

and sets the drive back into regular mode.

 

BPTM then records the tag in the NetBackup image record catalog.

 

 

Reading an encrypted tape

 

When a tape is read and an area of the tape in encountered where an image is

encrypted, BPTM determines: what tag is used and KMS loads that record and key

into BPTM. Then BPTM provides the key to the drive and reading the tape proceeds

as normal.

 

 

Commands:

 

Modify /Delete Key:

nbkmsutil -modifykey -keyname tech_talk_demo -kgname ENCR_kms_pool -state active

nbkmsutil -modifykey -keyname tech_talk_demo -kgname ENCR_kms_pool -state inactive

nbkmsutil -modifykey -keyname tech_talk_demo -kgname ENCR_kms_pool -state deprecated

nbkmsutil -modifykey -keyname tech_talk_demo -kgname ENCR_kms_pool -state terminated

nbkmsutil -deletekey -keyname tech_talk_demo -kgname ENCR_kms_pool

 

List Keys:

nbkmsutil -listkeys -kgname ENCR_kms_pool

 

 

nbkmsutil -gethmkid

nbkmsutil -getkpkid

 

 

nbkmsutil –ksstats

 

Recover a Deleted Key:

nbkmsutil -recoverkey -keyname tech_talk_demo_key -kgname ENCR_kms_pool -tag 91dd7d476aa2e328c6ba6df5cde68dd09536d25ed5dbbcfe28c57f63480bc461

 

Create key:

nbkmsutil -createkey -keyname <keyname> -kgname <kg name> -activate

 

 

Recover KMS by regenerating the data encryption key:

 

You can regenerate the complete KMS database by regenerating the data encryption

keys. The goal is to create a brand new empty KMS database and then repopulate

it with all your individual key records.  (Must NOT use auto gen pass phrase for this)

 

nbkms -createemptydb

nbkmsutil -createkg -kgname ENCR_kms_pool  << Extra step not in manual

nbkmsutil -recoverkey -keyname tech_talk_demo_key -kgname ENCR_kms_pool -tag 91dd7d476aa2e328c6ba6df5cde68dd09536d25ed5dbbcfe28c57f63480bc461   (kmsttphrase)

nbkmsutil -modifykey -kgname ENCR_kms_pool -keyname KMS_TT -state active

 

KMS Logging

 

OID 286

Bptm log

View solution in original post

nesel
Level 4

Old Master server
    shutdown NBU services
    backup/copy KMS directory (usually contain "db" and "key" directory)
    
New Master server
    Verify NBU Master server software is installed
    Paste your KMS backup/copy on directory path
    On Services, start "Netbackup Key Management Service"

Hope this answers your query rookie11

 

Thanks,

View solution in original post

4 REPLIES 4

jim_dalton
Level 6

KMS keys arent part of the catalog, you need to handle them manually, they can simply be copied,rookie.

You can prove they have been copied and are in the right place by running a few of the key utils cmds on the target. It is covered in the encryption guide.

Jim

Nicolai
Moderator
Moderator
Partner    VIP   

Take a look at this tech note, I belive it got all the info you need. Having the passphrase is a good base becuase you can re-create KMS.

How to Export and Import Encryption Keys Using the NetBackup KMS

http://www.symantec.com/docs/TECH143390

mph999
Level 6
Employee Accredited

Adding to the excellent answers so far - I put together a short 'how to ' doc for some colleagues.  Some of it is copy/ paste from the manuals, so really it is a summary with a simple example of how to set up.

The golden rule for encryption :

“Encryption is Easy, it’s the Key management that gets you everytime …”

In other word, lose you keys and you're stuffed ...  I've seen  100% of backups in an environment unrecoverable due to lost keys - and no. Symantec doesn't have a 'back door' to get them back - for that reason with KMS, use the pass phase method of generating the keys, and keep the passphrase(s) safe (like in a safe) so the keys can be recreated.  You can also back the keys up, don't do this to encrypted media for obvious reasons (yep, I've seen that too ...).

 

KMS

The nbkms service is a master-server-based service that provides encryption

keys to the media server BPTM processes.  (KMS will also work with Advanced Disk and Cloud backups)

 

 

KMS works with encryption capable tape drives. KMS is integrated into NetBackup

in such a way so as to eliminate difficulties in using NetBackup from a system

management perspective. KMS provides encryption key management for tape

drives with built-in encryption capabilities. These tape drives adhere to the SCSI

standard. A SCSI command enables encryption on the tape drive. NetBackup

accesses this capability through the volume pool name.

 

BPTM receives a request to write to a tape and to use a tape from a volume pool

with the ENCR_ name prefix. The ENCR_ prefix is a signal to BPTM that the information

to be written to tape is to be encrypted.

BPTM contacts KMS and requests an encryption key from the key group with a

name that matches the name of the volume pool.

KMS hands back to BPTM an encryption key and a key identifier (known as the

encryption key tag).

BPTM places the drive in encryption mode and registers the key tag and identifier

tag with the drive. This process is all done with the SCSI security protocol in or out

command that has been added to the SCSI specification.

The backup then proceeds as normal.

When the backup is complete, BPTM unregisters the key and tag with the drive

and sets the drive back into regular mode.

BPTM then records the tag in the NetBackup image record catalog.

 

Setting up KMS

 

nbkms -createemptydb

 

Enter a Host Master Key passphrase (hmk_pass_phrase)

 

The host master key contains the encryption key that encrypts and

protects the KMS_DATA.dat key file using AES 256. The host

master key is located at /opt/openv/kms/key/KMS_HMKF.dat.

 

Enter an ID (HMK_key)

 

Enter a Key Protection Key passphrase (KPK_pass_phrase)

 

A key protection key is an encryption key that encrypts and protects

individual records in the KMS_DATA.dat key file using AES 256.

The key protection key is kms/key/KMS_KPKF.dat. Currently the

same key protection key is used to encrypt all of the records.

 

Enter a KPK ID (KPK_Key)

 

Operation successfully completed

 

Start the KMS service by running nbkms

 

Create the key group. The key group name must be an identical match to the

volume pool name. All key group names must have a prefix ENCR_.

 

nbkmsutil -createkg -kgname ENCR_kms_pool

 

The ENCR_ prefix is essential. When BPTM receives a volume pool request

that includes the ENCR_ prefix, it provides that volume pool name to KMS. KMS

identifies it as an exact match of the volume pool and then picks the active key

record for backups out of that group.

 

Create a key record by using the -createkey option.

 

nbkmsutil -createkey -kgname ENCR_kms_pool -keyname teck_talk_demo_key -activate -desc "Keys for KMS Techtalk"

 

The key name and message are optional; they can help you identify this key

when you display the key.

 

Enter a pass phrase (tech_talk_demo_key_pass_phrase)

 

 

List Keys in the KeyGroup

 

nbkmsutil -listkeys -kgname ENCR_kms_pool

 

 

Symantec recommends that you keep a record of the output of the

nbkmsutil -listkeys command. The key tag that is listed in the output is

necessary if you need to recover keys.

 

Recover KMS by restoring all Data files

 

If you have made backup copies of the KMS_DATA.dat, KMS_HMKF.dat, and

KMS_KPKF.dat files, it is just a matter of restoring these three files. Then start up

the nbkms service and the KMS system will be up and running again.

 

nbkmsutil –quiescedb  - Required before coping KMS DB files

nbkmsutil -unquiescedb

 

 

Recovering KMS by restoring only the KMS data file

 

You can restore the backed up copy of the KMS data file kms/db/KMS_DATA.dat

by regenerating the KMS_HMKF.dat and KMS_KPKF.dat files with passphrases. So,

if you have written down passphrases for the host master key and key protection

key, you can run a command to regenerate those files. The system will prompt you

for the passphrase and if the passphrase you now enter matches the passphrase

originally entered, you will be able to reset the files.

To recover KMS by restoring only the KMS data file

 

1 Run the nbkms –resethmk command.

2 Run the nbkms –resetkpk command.

3 Start up the nbkms service.

 

Recovering KMS by regenerating the data encryption key

 

You can regenerate the complete KMS database by regenerating the data encryption

keys. The goal is to create a brand new empty KMS database and then repopulate

it with all your individual key records.

 

nbkms –createemptydb

(Start KMS)

nbkmsutil -createkg -kgname ENCR_kms_pool  << Extra step not in manual

nbkmsutil -recoverkey -keyname tech_talk_demo_key -kgname ENCR_kms_pool -tag 68ff5c10ce662d8bfd60159fb0e2fc8def26f42588190615b43c3821bb55259c   (kmsttphrase)

nbkmsutil -modifykey -kgname ENCR_kms_pool -keyname KMS_TT -state active

 

KMS Files

 

Key file or key database

Contains the data encryption keys. The key file is located at

/opt/openv/kms/db/KMS_DATA.dat.

 

Host master key

Contains the encryption key that encrypts and protects the KMS_DATA.dat

key file using AES 256. The host master key is located at

/opt/openv/kms/key/KMS_HMKF.dat

 

Key protection key

Encryption key that encrypts and protects individual records in the

KMS_DATA.dat key file using AES 256. The key protection key is located at

/opt/openv/kms/key/KMS_KPKF.dat. Currently the same key protection key

is used to encrypt all of the records.

 

Back up KMS files

If you want to back up the KMS files, the best practices should be followed.

Put the KMS database file on one tape and the HMK files and KPK files

on another tape. To gain access to encrypted tapes, someone would then

need to obtain both tapes.

 

Another alternative is to back up the KMS data files outside of the normal

NetBackup process. You can copy these files to a separate CD, DVD, or

USB drive.

 

DO NOT BACK THE FILES UP ON KMS ENCRYPTED TAPES

 

You can also rely on passphrase generated encryption keys to manually

rebuild KMS. All of the keys can be generated by passphrases. If you have

recorded all of the encryption key passphrases you can manually recreate

KMS from information you have written down. If you only have a few

encryption keys you generate this process could be short.

 

 

Key records:

 

Key records contain many fields but the primary records are the encryption key,

the encryption key tag, and the record state. Key records also contain some

metadata.

 

These key records are defined as follows:

 

Encryption key

This key is given to the tape drive.

 

Encryption key Tag

This tag is the identifier for the encryption key.

 

Record state

Each of the key records has a state. The states are prelive, active, inactive,

deprecated, and terminated.

 

Metadata

Metadata includes logical name, creation date, modification date, and

description.

 

Key groups

 

Key groups are a logical name and grouping of key records. All key records that

are created must belong to a group. A key group can only have one active state

key record at any time. NetBackup 7.5 supports 100 key groups. NetBackup 7.0

supported 20 key groups and NetBackup 6.5.2 supported two key groups. Only

10 encryption keys are allowed per key group.

 

Tape Drive Considerations:

 

To provide support for the T10 / SCSI standard tape drives with embedded

(LT04 and equivalent) encryption.

 

How is an encrypted tape written?

 

BPTM receives a request to write to a tape and to use a tape from a volume pool

with the ENCR_ name prefix. The ENCR_ prefix is a signal to BPTM that the information

to be written to tape is to be encrypted.

 

BPTM contacts KMS and requests an encryption key from the key group with a

name that matches the name of the volume pool.

KMS hands back to BPTM an encryption key and a key identifier (known as the

encryption key tag).

 

BPTM places the drive in encryption mode and registers the key tag and identifier

tag with the drive. This process is all done with the SCSI security protocol in or out

command that has been added to the SCSI specification.

 

The backup then proceeds as normal.

When the backup is complete, BPTM unregisters the key and tag with the drive

and sets the drive back into regular mode.

 

BPTM then records the tag in the NetBackup image record catalog.

 

 

Reading an encrypted tape

 

When a tape is read and an area of the tape in encountered where an image is

encrypted, BPTM determines: what tag is used and KMS loads that record and key

into BPTM. Then BPTM provides the key to the drive and reading the tape proceeds

as normal.

 

 

Commands:

 

Modify /Delete Key:

nbkmsutil -modifykey -keyname tech_talk_demo -kgname ENCR_kms_pool -state active

nbkmsutil -modifykey -keyname tech_talk_demo -kgname ENCR_kms_pool -state inactive

nbkmsutil -modifykey -keyname tech_talk_demo -kgname ENCR_kms_pool -state deprecated

nbkmsutil -modifykey -keyname tech_talk_demo -kgname ENCR_kms_pool -state terminated

nbkmsutil -deletekey -keyname tech_talk_demo -kgname ENCR_kms_pool

 

List Keys:

nbkmsutil -listkeys -kgname ENCR_kms_pool

 

 

nbkmsutil -gethmkid

nbkmsutil -getkpkid

 

 

nbkmsutil –ksstats

 

Recover a Deleted Key:

nbkmsutil -recoverkey -keyname tech_talk_demo_key -kgname ENCR_kms_pool -tag 91dd7d476aa2e328c6ba6df5cde68dd09536d25ed5dbbcfe28c57f63480bc461

 

Create key:

nbkmsutil -createkey -keyname <keyname> -kgname <kg name> -activate

 

 

Recover KMS by regenerating the data encryption key:

 

You can regenerate the complete KMS database by regenerating the data encryption

keys. The goal is to create a brand new empty KMS database and then repopulate

it with all your individual key records.  (Must NOT use auto gen pass phrase for this)

 

nbkms -createemptydb

nbkmsutil -createkg -kgname ENCR_kms_pool  << Extra step not in manual

nbkmsutil -recoverkey -keyname tech_talk_demo_key -kgname ENCR_kms_pool -tag 91dd7d476aa2e328c6ba6df5cde68dd09536d25ed5dbbcfe28c57f63480bc461   (kmsttphrase)

nbkmsutil -modifykey -kgname ENCR_kms_pool -keyname KMS_TT -state active

 

KMS Logging

 

OID 286

Bptm log

nesel
Level 4

Old Master server
    shutdown NBU services
    backup/copy KMS directory (usually contain "db" and "key" directory)
    
New Master server
    Verify NBU Master server software is installed
    Paste your KMS backup/copy on directory path
    On Services, start "Netbackup Key Management Service"

Hope this answers your query rookie11

 

Thanks,