08-22-2016 06:43 AM
Good day,
I've seen alot of articles on how to install, configure and backup data to tape using KMS encryption. I have not seen anything on the procedure to restore the encrypted data from tape using the passphrase generated.
Does anyone know the step by step procedure?
Thank You
08-22-2016 10:32 AM - edited 08-22-2016 10:36 AM
Using this for reference.
Following all the steps you'll be able to populate this info:
HMK ID: MasterKeyName
Passphrase: MasterKeyPassphrase
KPK ID: Production_Encryptiion
Passphrase: KPK_ID_Passphrasse
kgname: ENCR_Example
passphrase: ENCR_Example_Passphrase
On step 8, when you actually create the key, you'll receive a Key Tag and and a Salt that will look like this:
Key Tag : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Name : Encrypted_Prod
Current State : ACTIVE
Creation Time : Wed Aug 17 14:07:26 2016
Last Modification Time: Wed Aug 17 14:07:26 2016
Description : For Offsite Replication
FIPS Approved Key : Yes
Salt : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
After all that is created you'll never need to enter the passphrase on a server that has this key. The restore will look at the KMS and just run the job without requiring input.
You only need the passphrase, and the data generated above, when you apply this key to a different/rebuilt server. If that is the case, you'll need all of the documentation above. The Master Key can be different, but the key group (kg) and key name will need to be the same. You do that with the nbkmsutil recovery option. https://www.veritas.com/support/en_US/article.000009714
nbkmsutil https://www.veritas.com/support/en_US/article.000093199
08-22-2016 10:44 AM
Thank you for this. So you are saying the restore process would locate the KMS data without intervention once available.
In the event I would like to restore data from an encrypted tape on the DR site I would need to import the KMS data there and then attempt the restore?
08-22-2016 10:52 AM
"So you are saying the restore process would locate the KMS data without intervention once available."
Correct. We only use ENCR volume pools and have never manually entered a passphrase to do a restore.
"In the event I would like to restore data from an encrypted tape on the DR site I would need to import the KMS data there and then attempt the restore?"
Correct again. The 2nd link on my previous comment explains how to import the KMS in a DR site. If that is your plan, I suggest importing the key in the DR site the same day you create the key, and running a test ASAP.
08-23-2016 06:46 AM
One more question. I want to set up KMS Encryption on both the Primary and DR as there is a tape library at both sites. We want to be able to move media from Primary and restore in DR and vice versa. Can i import the KMS data from Primary to DR and DR to Primary without affecting the initial setup of KMS?
08-23-2016 06:50 AM
See this TN:
http://www.veritas.com/docs/000009714
08-23-2016 08:41 AM
I failed to mention that I want to set up KMS on a NBU 5230 Appliance that function as Master/Media NetBackup v7.6.1.1 running SuSE Linux 11 with v2.6.1.1 appliance software. Is it true that KMS cannot be setup in this scenario?
08-23-2016 08:48 AM - edited 08-23-2016 08:50 AM
It can be configured.
Supported with Appliance master/media as from 2.6.
See:
08-23-2016 12:44 PM
As I think you are aware, be very sure to set up KMS using passphrases that you create. That way, you can reacreate the keys if required. If you allow the system to create the passphrase, it is 'random' and you are not informed, meaning if the keys are lost they cannot be recreated.
The KMS manual is actually quite good, if you work through and follow the steps, you will actually end up with working KMS ... You can then follow the steps in the guide to recreate the keys as a test, and backup the keys and restore them as an alternate way of recovery.
THe KMS keys are not automatically backed up with the catalog, you have to do it manually. For obvious reasons, do not back up the keys to an encrypted tape ...
As per the guide, you have to 'export' the keys to back them up in a way that is recoverable.
08-24-2016 06:38 AM
So I was able to setup KMS but at the point to run the backup it failed with the error "Encryption unavailable on ENCR_Pool". From research this may be due to Application Managed Encryption not being enabled on the tape library(DELL ML6000) right? .
08-24-2016 11:27 PM
That would sound reasonable yes, there is no license of anything required in NBU for KMS, but the hardware may be different (require license etc ) depending on hardware vendor.
08-24-2016 11:46 PM
08-25-2016 05:05 AM
So I confirmed on the tape library that encryption is set to None and would need to be changed to Application Managed Encryption.
09-29-2016 09:00 AM
link to import a keygroup into DR is not working. Is importing different from recovering. Why I asked is I followed this: