Problem
How to verify KMS encrypted the backup
Solution
You can perform the following to verify that the backup was encrypted properly using KMS:
1) Execute the following command on the Master Server to obtain the Key Group Name, Key Name and Key Tag.
UNIX:<install_path>/netbackup/bin/admincmd/nbkmsutil -listkeys -kgname <Key_Group_name>
Windows:<install_path>\netbackup\bin\admincmd\nbkmsutil -listkeys -kgname <Key_Group_name>
Example of output will look like the following:# nbkmsutil -listkeys -kgname ENCR_xxxxxx
Key Group Name : ENCR_xxxxxx
Supported Cipher : AES_256
Number of Keys : 1
Has Active Key : Yes
Creation Time : Sun Dec 20 23:18:23 2009
Last Modification Time: Sun Dec 20 23:18:23 2009
Description : -
Key Tag : abcdabcdabcdabcdabcdabcdabcdabcdabc1234bx1a24bx1a124xa213bxa2
Key Name : ENCR_xxxxxx_testkey
Current State : Active
Creation Time : Sun Dec 20 23:45:24 2009
Last Modification Time: Sun Dec 20 23:45:24 2009
Description : Test key
There are three ways you can confirm that KMS encrypted the backup:
OPTION 1:
Obtain a backupid from a backup that was encrypted using KMS, by searching for the backup in the Admin Console under > Netbackup Management > Catalog
Use the backup id in the following command:
UNIX: <install_path>/NetBackup/bin/admincmd/bpimagelist -backupid <backup_id> -L
Windows:<install_path>\NetBackup\bin\admincmd\bpimagelist -backupid <backup_id> -L
At the botton of the output you can confirm that the backup use the Key Tag listed from the output of the commandnbkmsutil -listkeys -kgname ENCR_xxxxxx
OPTION 2:
In the Admin Console under > Netbackup Management > Reports > Tape Reports > Images on tape
(Right click on the right side of the Admin Console in the white space and select Columns > Layout and make sure you show / unhide the heading Encryption Key Tag)
Run a report to find the backup that was encrypted by KMS and in the Encryption Key Tag column, the key tag should be listed. This can be comfirmed with the output of the commandnbkmsutil -listkeys -kgname ENCR_xxxxxx
Note: In NetBackup 7.5.0.x, if no key tag (or "0") is displayed where a key tag is expected, you may be experiencing a NetBackup defect. This defect was resolved in NetBackup 7.5.0.4.
OPTION 3:
This option changes the state of the Key used during the backup to a deprecated state (Deprecated, which indicates that the record cannot be used for encryption or decryption). More information about this can be found in the Netbackup Security and Encryption Guide (linked below).
Note:
Key record states include the prelive, active, inactive, deprecated, and terminated. Key record states adhere to a key record life cycle. Once a key has entered the Active state (that is set up for encryption), the key must progress in proper order through the lifestyle. The proper order includes passing from one state to its adjacent state. A key cannot bypass any of the states.
Between the active state and terminated state, the record can move one state at a time in either direction. Outside of this state range, the transitions are one directional. Deleted key records cannot be recovered (unless they were created using a passphrase), and active keys cannot be moved back to prelive state.
The following is an example of changing the state of an Active key before performing a restore and having that restore fail because the Key is in a Deprecated state. This is done on the Master server using the output of thenbkmsutil -listkeys -kgname ENCR_xxxxxxcommand as documented at the top of this article.
From path:
UNIX: <install_path>/netbackup/bin/admincmd/
Windows: <install_path>\netbackup\bin\admincmd\# nbkmsutil -modifykey -keyname ENCR_xxxxxx_testkey -kgname ENCR_xxxxxx -state inactive
# nbkmsutil -modifykey -keyname ENCR_xxxxxx_testkey -kgname ENCR_xxxxxx -state deprecated
Confirm the state has been change to Deprecated:# nbkmsutil -listkeys -kgname ENCR_xxxxxx
Now, attempt a restore of the encrypted data that was backed up using that key - it should fail.
To return the Deprecated Key back to an Active state, enter the following commands:# nbkmsutil -modifykey -keyname ENCR_xxxxxx_testkey -kgname ENCR_xxxxxx -state inactive
# nbkmsutil -modifykey -keyname ENCR_xxxxxx_testkey -kgname ENCR_xxxxxx -state active
With the following command, confirm the state has been change back to the state you desire. In the above example we returned it to Active.# nbkmsutil -listkeys -kgname ENCR_xxxxxx
References
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.