Veritas NetBackup™ Security and Encryption Guide
- Read this first for secure communications in NetBackup
- Communication failure scenarios
- Increasing NetBackup security
- Security deployment models
- Auditing NetBackup operations
- About audit events
- Section I. Identity and access management
- About identity and access management
- AD and LDAP domains
- API keys
- Auth.conf file
- Role-based access control (RBAC)
- Smart card or digital certificate
- Single Sign-On (SSO)
- Enhanced Auditing
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups
- Section II. Encryption of data in transit
- NetBackup CA and NetBackup certificates
- About the Security Management utilities
- About host management
- Adding shared or cluster mappings
- Allowing or disallowing automatic certificate reissue
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About NetBackup certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Host ID-based certificate deployment in a clustered setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Migrating NetBackup CA
- External CA and external certificates
- About external CA support in NetBackup
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About certificate revocation lists for external CA
- About certificate enrollment
- Configuring an external certificate for the NetBackup web server
- About external certificate configuration for a clustered master server
- Regenerating keys and certificates
- NetBackup CA and NetBackup certificates
- Section III. Encryption of data at rest
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- NetBackup key management service
- About FIPS enabled KMS
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- External key management service
- Configuring KMS credentials
- Configuring KMS
- Creating keys in an external KMS
- Working with multiple KMS servers
- Data at rest encryption security
- NetBackup web services account
- Immutability and indelibility of data in NetBackup
Listing keys from a key group
Use the following procedure to list all or selected keys that you created in a particular key group.
To list the keys in a key group
- To list the keys in a key group enter the following command:
nbkmsutil -listkeys -kgname ENCR_mygroup
The nbkmsutil outputs the list in the verbose format by default. Following is a non-verbose listing output.
KGR ENCR_mygroup AES_256 1 Yes 134220503860000000 134220503860000000 - KR my_latest_key Active 134220507320000000 134220507320000000 key for Jan, Feb, March data Number of keys: 1
The following options helps to list all keys from a specific key group or a specific key from a particular key group:
nbkmsutil -listkeys -all | -kgname <key_group_name> [ -keyname <key_name> | -activekey ]
[ -noverbose | -export ]
The -all option lists down all the keys from all the key groups. The keys are listed in a verbose format.
The -kgname option lists the keys from the specified key group.
The -keyname option lists a specific key from the specified key group. It must however be used with the option -kgname.
The -activekey option lists an active key from the specified key group name. It must however be used with the -kgname option.
Note:
The -activekey and -keyname options are mutually exclusive.
The -noverbose option lists the details of the keys and key groups in a formatted form (non-readable). The default is a verbose list.
The -export option generates an output that the key_file requires. (The key_file is used in nbkmsutil -export -path <key_container_path > -key_file file. You can use the output for another key_file.
Run the following command to list all the keys from a specific key group:
nbkmsutil - listkeys -kgname <key_group_name>
Run the following command to list specific keys from a specific key group:
nbkmsutil - listkeys -kgname <key_group_name> -keyname <key_name>
Run the following command to list all keys from all groups:
nbkmsutil -listkeys -all
Run the following command to list all keys from a specific key group:
nbkmsutil - listkeys -kgname <key_group_name>
Run the following command to list the active keys from a specific key group:
nbkmsutil - listkeys -kgname <key_group_name> -activekey