cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

KMS not work

soolean
Level 4

‎12-19-2023 06:31 AM

I set the kms operations. I also assigned a cassette to the volume pool I created.

I took a backup, but when I did the restore process, I could not see any encryption

What checks would you recommend me to do

0 Kudos
3 REPLIES 3

Nicolai
Moderator
Moderator
Partner    VIP   

‎12-19-2023 07:08 AM

hi @soolean 

Take a look at this tech note: https://www.veritas.com/support/en_US/article.100001241

0 Kudos

StoneRam-Simon
Level 6
Partner    VIP    Accredited Certified

‎12-21-2023 09:22 AM

If you are writing to an LTO4 or later LTO drive it will be using hardware encryption and nothining more than the volume pool is going to identify that that is the case..

If you had a volume pool called ENCR_MyData and a kms key called ENCR_MyData, and the policy was configured to use the volume pool ENCR_MyData,

When the backup starts, NetBackup looks to see if there is any media already in the ENCR_MyData pool.

if it finds a media in the ENCR_MyData pool it will load that into the drive,

if the Volume Pool starts with ENCR_, NetBackup will also look in KMS for a matching key with the name ENCR_MyData and will retrieve the key and  send to the drive to allow it to enable encrypted read/write.

If the policy is telling netabckup to use the ENCR_MyData pool, If no media exists in the ENCR_MyData pool it will look for a tape in the Scratch pool (if one exists) and will move that tape to the ENCR_MyData pool.

The main thing to ensure is that the volume pool, and the kms key BOTH have exactly the same name and BOTH must start with the ENCR_  

 

  

0 Kudos

mph999
Level 6
Employee Accredited

‎12-28-2023 03:32 PM

Personally I would terminate the nbkms process (nbkms -terminstae) and then try and restore one of your backups, it will fail, because it can't retrieve the keys.

Restart the process (nbkms) and then try the restore agin, it should work.

A more advanced way is to look in the NB DB (either synapse of Postgres depending on version) and look for the KMS key tag alongside the entry of the backup in the image table.

A potentially destructive way (because you have to be very careful) is to delete the KMS key(s) and try the restore, again, it should fail.  This should only be done if you either have a backup of the KMS keys, or know how to recreate the same keys, or are using test backups that you don't care about.
Please read the manuals about how to recreate/ backup the KMS keys - what I recommend:
Using a test system, or a system that you don't care about the keys in case it goes wrong ....

Setup KMS and run a test backup or two.
Stop kms and prove it's encrypted by attempting a restore
Read the manual as to what information you need to recreate keys from scratch
Backup the KMS DB as per the steps in the manual
Delete the KMS DB - nbkms -createemptydb
Recover the DB from your backup
Run test restore to prove it works
Delete the KMS DB again
Recover the keys by recreating them, using key tag, salt valule, passphrase
Run a restore again to prove it works

Now you should have the knowledge, and have proven two different methods to recover the keys.

** DO NOT DO THE ABOVE IF YOU HAVE REAL ENCRYPTED BACKUPS AND YOU ARE UNSURE WHAT YOU ARE DOING, TEST SYSTEM ONLY, OR BACKUPS THAT YOU DON'T CARE ABOUT **

If you do NOT know how to recover keys, and have not proven you can do so, do NOT encrypt real backups, because something goes wrong, Veritas have no way to recover keys for you, there is no 'backdoor'.


0 Kudos