Using HSM (Thales or SafeNet) with NetBackup 7.x

Hi all,

I am a 'newbie' with regards to NetBackup so please excuse me if this is a dumb question...

I have a request to encrypt tape backups for regulatory reasons.  I realise that NetBackup has it's own encryption tools. I also understand that the use of a third-party tool for encryption (such as Safenet KeySecure) may open a can of worms and would add unneccessary complexity as well as possibly cause problems when de-crypting.

My question is - The keys for the NetBackup encryption (using the NetBackup encryption tools) would reside within the relevent devices NetBackup sits on.   But... Is it possible to use an HSM appliance to store the keys? - - i.e. rather than be located on a physical/virtual server... would it be possible to utlise an HSM (Thales or Safenet Luna) to keep the keys in a secure appliance as opposed to on a server somewhere?  

Any advice will be much appreciated.


best regards,




2 Replies

Re: Using HSM (Thales or SafeNet) with NetBackup 7.x

Not if you wanted to use for example, KMS or MSEO.

If the encryption solution is totally outside of NBU (eg. the HSM provides the keys to the drives for all backups) then as it's outside of NBU, NBU won;t know anything about it and it should work.

However, I'd not recommend it ...  KMS works fine, and as long as the keys are backed up / passphrases are known it's as safe as it can be.  The less complexity the better ...


Netbackup can't as of 7.7 use

Netbackup can't as of 7.7 use a external key mangement server. Keys has to be local defined.

But I know, its somthing being worked on, lets see what NBU 8.0 offer ...

All the documentation about "Data at rest encryption" (KMS) can be found at 

NetBackup 7.7.1 Security and Encryption Guide - Chapter 8