Showing results for 
Search instead for 
Did you mean: 

Third-party key management for NetBackup encryption keys

If someone is doing encryption using NBU - Client, MSEO or KMS - can the encryption keys be stored and managed by something like SafeNet key management appliance? (SafeNet is KMIP compliant; I know NBU is as well)

1 Solution

Accepted Solutions
Accepted Solution!

NBU 7.7 wil be FIPS compliant

NBU 7.7 wil be FIPS compliant by the way

View solution in original post

8 Replies

I didn't think that NetBackup

I didn't think that NetBackup was KMIP compliant.  This question came up recently:


Take a look at the NetBackup

Take a look at the NetBackup Encryption White Paper located towards the end of this post:

...and have a read.  It won't take long.  It will help.  It really will.


A few years ago - I looked at utilising a third party key management product - and it is certainly possible to implement, there were several on the market at the time, but at the time it was all done without NetBackup really knowing anything about it.   In the end we went with NetBackup KMS, which with v7.6 can now handle about 100 different active 1:1 (one-to-one) associations between encryption key and NetBackup pool name.  And seeing as NetBackup KMS was free, easy to configure, easy to use, and didn't rely on any third party kit (therefore no worries about connectivity, configuration, cost, complexity, interoperability, administration, licensing, power, third party support - for the lifetime of the media )... then, well, really... it was a simple decision to go with NetBackup KMS.

So, unless you have some exacting Government standards to adhere to, which dictate the use of a FIPS compliant key management solution, then my advice would be to keep it simple.


AFAIK, none of NetBackup Client Encryption nor NetBackup MSEO nor NetBackup KMS can be used/configured to work with a KMIP compliant application.  In all these cases, I believe, each NetBackup environment/domain is an 'island' when it comes to encryption key management.

I agree with sdo ... Why on

I agree with sdo ...

Why on earth do you want to ake your life harder, just use KMS, it's free, it works, and I'll almost admit to it being easy ...

You can teach yourself KMS in an afternon, to a sufficient standard to use it safely - all you have to do is work through the examples in the manual.

Using KMS also has the bonus that you have support in one place if required.


Accepted Solution!

NBU 7.7 wil be FIPS compliant

NBU 7.7 wil be FIPS compliant by the way

View solution in original post

SDO, I have actually read the

SDO, I have actually read the entirety of the white paper you're referring to before.

From the white paper:

"The Key Management Interoperability Protocol (KMIP) allows integration between hosts and clients, enabling different key management systems and/or encryption engines to communicate such that all keys used throughout various end points could be stored (and possibly created) by a single key management system."

This clearly says that NBU is KMIP compatible. Hence, they can use it with SafeNet right? 

I completely agree with all of you about NetBackup KMS being easy to use and configure but I'm dealing with a customer who already uses SafeNet (a key management appliance that replaced NetApp's LKM and DataFort appliance combined - SafeNet also has an encryption product but our customer only uses the key management product.)

They are not willing to use any other key management product but at the same time, we are proposing that they use NBU for encryption from now on (the plan is to have them move away from a Brocade Encryption Switch for doing encryption to NBU - because the BES has been announced EOL)

The reasons why they want to keep using SafeNet for key management:

- they are a gov/financial firm and need a FIPS compliant key management solution

- they are already using SafeNet and would want to continue with it because of ease of use (for them)

I'm not sure how to put

I'm not sure how to put this... as I'm definitely not trying to put you down... but, I don't read it like that.  In my mind, it doesn't explicity state that KMIP is supported or even that it can be leveraged.  To me, the wordage seems to be making a point/distiction/description of how KMIP works in general, and not that NetBackup can use KMIP.  I've never seen KMIP referenced anywhere else in any NetBackup documentation - but then I've haven't read it all either.

However, this is not to say that it won't work.  Some third party key management solutions have the ability to talk to tape drives without NetBackup being any the wiser.  My advice would be to go to SafeNet and ask them for a WhitePaper on integration with NetBackup - or indeed any other third party backup product which also does not have KMIP integration.  I would think it highly likely that SafeNet have been asked this several times before.  If you don't get a straight answer from them first time, then try again, and try to punch through their 'sales' or 'sales tech support' barrier and see if you can talk to an actual engineer... as they'll know for sure.

Totally understand your

Totally understand your concern on making sure we get information from the right sources and can actually verify that NBU is KMIP compatible. (And don't worry - you're not putting me down, lol)

Just got this from SafeNet tech support - (funnily enough actual SafeNet engineering is pretty incompetent and I've been working with them for weeks and they can't even answer most of my questions...they just want to make a sale)

-Symmantec NetBackup 7.x is supported by KMIP integration with SafeNet KeySecure.

-KeySecure can manage keys created by NetBackup. 

That's all I really needed to know for our customer at this point. We'll probably be involving a NetBackup SE in the process as the project progresses and then we can see how to actually integrate them but it can be done. 

Yes, good point Nicolai.  By

Yes, good point Nicolai.  By default KMS generated keys are FIPs complaiant at 7.7, and if you don;t want this, you have an option to turn it off.