cancel
Showing results for 
Search instead for 
Did you mean: 

Restoring KMS encrypted data from tape

KSachaB
Level 3
Partner

Good day,

I've seen alot of articles on how to install, configure and backup data to tape using KMS encryption. I have not seen anything on the procedure to restore the encrypted data from tape using the passphrase generated.

 

Does anyone know the step by step procedure?

 

Thank You

13 REPLIES 13

SplashMasterson
Level 4
Certified

Using this for reference. 

Following all the steps you'll be able to populate this info:

HMK ID: MasterKeyName
Passphrase: MasterKeyPassphrase
KPK ID: Production_Encryptiion
Passphrase: KPK_ID_Passphrasse

kgname: ENCR_Example
passphrase: ENCR_Example_Passphrase

On step 8, when you actually create the key, you'll receive a Key Tag and and a Salt that will look like this:

Key Tag : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Name : Encrypted_Prod
Current State : ACTIVE
Creation Time : Wed Aug 17 14:07:26 2016
Last Modification Time: Wed Aug 17 14:07:26 2016
Description : For Offsite Replication
FIPS Approved Key : Yes
Salt : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

After all that is created you'll never need to enter the passphrase on a server that has this key. The restore will look at the KMS and just run the job without requiring input.

You only need the passphrase, and the data generated above, when you apply this key to a different/rebuilt server. If that is the case, you'll need all of the documentation above. The Master Key can be different, but the key group (kg) and key name will need to be the same. You do that with the nbkmsutil recovery option. https://www.veritas.com/support/en_US/article.000009714

nbkmsutil https://www.veritas.com/support/en_US/article.000093199

Thank you for this. So you are saying the restore process would locate the KMS data without intervention once available.

 

In the event I would like to restore data from an encrypted tape on the DR site I would need to import the KMS data there and then attempt the restore?

"So you are saying the restore process would locate the KMS data without intervention once available."

Correct. We only use ENCR volume pools and have never manually entered a passphrase to do a restore.

"In the event I would like to restore data from an encrypted tape on the DR site I would need to import the KMS data there and then attempt the restore?"

Correct again. The 2nd link on my previous comment explains how to import the KMS in a DR site. If that is your plan, I suggest importing the key in the DR site the same day you create the key, and running a test ASAP.

One more question. I want to set up KMS Encryption on both the Primary and DR  as there is a tape library at both sites. We want to be able to move media from Primary and restore in DR and vice versa. Can i import the KMS data from Primary to DR and DR to Primary without affecting the initial setup of KMS? 

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

See this TN:

How to Export and Import Encryption Keys Using the NetBackup KMS 

http://www.veritas.com/docs/000009714 

 

I failed to mention that I want to set up KMS on a NBU 5230 Appliance that function as Master/Media  NetBackup v7.6.1.1 running SuSE Linux 11 with v2.6.1.1 appliance software. Is it true that KMS cannot be setup in this scenario?

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

It can be configured. 

Supported with Appliance master/media as from 2.6.

See:

https://vox.veritas.com/t5/NetBackup-Appliance/NetBackup-KMS-when-appliance-is-master-media/m-p/7027...

 

mph999
Level 6
Employee Accredited

As I think you are aware, be very sure to set up KMS using passphrases that you create.  That way, you can reacreate the keys if required.  If you allow the system to create the passphrase, it is 'random' and you are not informed, meaning if the keys are lost they cannot be recreated.

The KMS manual is actually quite good, if you work through and follow the steps, you will actually end up with working KMS ...  You can then follow the steps in the guide to recreate the keys as a test, and backup the keys and restore them as an alternate way of recovery.

THe KMS keys are not automatically backed up with the catalog, you have to do it manually.  For obvious reasons, do not back up the keys to an encrypted tape ...

As per the guide, you have to 'export' the keys to back them up in a way that is recoverable.

KSachaB
Level 3
Partner

So I was able to setup KMS but at the point to run the backup it failed with the error "Encryption unavailable on ENCR_Pool". From research this may be due to Application Managed Encryption not being enabled on the tape library(DELL ML6000) right? . 

mph999
Level 6
Employee Accredited

That would sound reasonable yes, there is no license of anything required in NBU for KMS, but the hardware may be different (require license etc ) depending on hardware vendor.

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

Can you confirm the drive type in the library?

 

So I confirmed on the tape library that encryption is set to None and would need to be changed to Application Managed Encryption.

link to import a keygroup into DR is not working. Is importing different from recovering. Why I asked is I followed this:

 

Use Case Four: Customer wants to ADD one of more keys from the KMS database at one site to a KMS database at a remote site.
 
NOTE: This can ONLY be accomplished if the key was generated using a pass phrase. If it was generated using a random number, it is not possible to add an existing key to another KMS database.
 
1.       Use the nbkmsutil –listkeys command to obtain the key name, key group name and key tag for each key(s) you want to add to the remote site.
 
NOTE: For Step 2, although you don’t need to provide the key name and key group name, only the key tag, it will provide consistency if you provide those names to the remote site and include those names when recovering the key(s) at the remote site.
 
2.       Provide the remote site with the key name, key group name, key tag and pass phrase for each encryption key.
3.       Use the nbkmsutil –recoverkey command at the remote site to create each key in the KMS database at the remote site.
4.       Recovered keys are set to an inactive state (can be used for restores, but not backups), so you will need to use the nbkmsutil –modifykey command to change the state to active if you want to use the key for backups.
 
 
I used nbkmsutil -recoverykey to restore data in DR from backup that was done in Production. Am I doing this right?