cancel
Showing results for 
Search instead for 
Did you mean: 

Restoring KMS encrypted data from tape

KSachaB
Level 3
Partner

I recently configured NetBackup KMS on two appliances both production and DR sites. I was able to restore data from each site successfully. 

I attempted a restore of data from media that was backed up in Production to restore in DR using the following steps: 

 

Use Case Four: Customer wants to ADD one of more keys from the KMS database at one site to a KMS database at a remote site.
 
NOTE: This can ONLY be accomplished if the key was generated using a pass phrase. If it was generated using a random number, it is not possible to add an existing key to another KMS database.
 
1.       Use the nbkmsutil –listkeys command to obtain the key name, key group name and key tag for each key(s) you want to add to the remote site.
 
NOTE: For Step 2, although you don’t need to provide the key name and key group name, only the key tag, it will provide consistency if you provide those names to the remote site and include those names when recovering the key(s) at the remote site.
 
2.       Provide the remote site with the key name, key group name, key tag and pass phrase for each encryption key.
3.       Use the nbkmsutil –recoverkey command at the remote site to create each key in the KMS database at the remote site.
4.       Recovered keys are set to an inactive state (can be used for restores, but not backups), so you will need to use the nbkmsutil –modifykey command to change the state to active if you want to use the key for backups.
 
 
I used nbkmsutil -recoverykey to restore data in DR from backup that was done in Production. Am I doing this right?
 
When I run an import job using the two phases i get the following: 
 
09/29/2016 12:01:01 - Error bptm (pid=122176) NBKMS failed with error status: KAD did not match any key records (1261)09/29/2016 12:01:01 - Error bptm (pid=122176) cannot read image from media id 2979L4, drive index 3, no key is available to decrypt data
 
Any assistance is appreciated. 
 
Thank You
 
 
 
 
 

 

 

5 REPLIES 5

Nicolai
Moderator
Moderator
Partner    VIP   

Plese refer to page 310 in the security and ecncryption guide

http://www.veritas.com/docs/000004642

The key need to be in either active or inactive state in order to read encrypted data. Pleasee check the state of the imported key

From the above mentioned document:

Note: Keys can be created in either the prelive state or the active state. Active key records are available for both backup and restore operations. An inactive key is only available for restore operations. Deprecated keys are not available for use. If your key record is in the deprecated state and you attempt to do a backup or restore with that key record, it can fail. A key record that is in the terminated state can be removed from the system

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

@KSachaB please always quote the document or URL where you copy & paste from. e.g. 
http://www.veritas.com/docs/000009714 

The key is in an active state. One question though. If i need only one key from Production in DR do I need to copy the following files to DR? 

 KMS_DATA.dat (DATA file) is located in the /kms/db/ directory

 KMS_HMKF.dat (HMKF file) is located in the /kms/key/ directory

KMS_KPKF.dat (KPKF file) is located in the /kms/key/ directory
Also did i do the correct thing by running the recover command?
 

Nicolai
Moderator
Moderator
Partner    VIP   

No - you should not copy those files, as you will loose the keys defined in the DR KMS database (if any).

I recommend follwing the best pratices outlined in :

http://www.veritas.com/docs/000009714

Please consider to use well known passphrases (stored in a safe place), then is just a qustion of re-creating the keys without copying KMS files forth and back.

I did follow the recommended article. Every step. Not sure what went wrong. When I do listkeys on DR it is the same as in Production.