How to install and configure Key Management Service (KMS) encryption on a NetBackup master server

Problem

How to install and configure Key Management Service (KMS) encryption for tape on a NetBackup master server

Solution

NOTE:  The following instructions apply only for backups going to tape drives that support encryption.  To configure KMS for Media Server Deduplication (MSDP) or Cloud, please refer to the corresponding admin guides for those features.

To Install KMS for tape, take the following actions on the NetBackup master server:

1.  Run the following command:

• Windows:  ..\netbackup\bin\nbkms -createemptydb
• UNIX:  /usr/openv/netbackup/bin/nbkms -createemptydb

2.  Enter a passphrase for the Host Master Key (HMK), or press Enter to create a randomly generated key.

3.  Enter an ID for the HMK. This ID can be anything descriptive that you want to use to identify the HMK.

4.  Enter a passphrase for the Key Protection Key (KPK).

5.  Enter an ID for the KPK. The ID can be anything descriptive that you want to use to identify the KPK.

6.  Start the KMS service:

• Windows:  Start > Run > Services.msc > Start the NetBackup Key Management Service
• UNIX:  Run the following command:  /usr/openv/netbackup/bin/nbkms

Below step (Step 7)  is only applicable for NetBackup version 8.3 or above, Below NetBackup version 8.3 there is no need to run the command. 

7.   Run the following command to register the nbkms service with NetBackup web services:

•  Windows: ..\netbackup\bin\nbkmscmd -discovernbkms
•  UNIX:          /usr/openv/netbackup/bin/nbkmscmd -discovernbkms

Note: The nbkmscmd command is used to configure KMS. All of these commands require NetBackup administrator privileges to run. Additionally, these operations require a bpnbat web log-on (bpnbat -login -loginType WEB) using an account that has NetBackup administrator privileges.

8.  Create the key group.  All key group names must have the prefix ENCR_.

• Windows:  ..\netbackup\bin\admincmd\nbkmsutil -createkg -kgname ENCR_keygroup_name
• UNIX:  /usr/openv/netbackup/bin/admincmd/nbkmsutil -createkg -kgname ENCR_keygroup_name

9.  Create a key record by using the -createkey option.

• Windows:  ..\netbackup\bin\admincmd\nbkmsutil -createkey -kgname ENCR_volumepoolname -keyname keyname -activate -desc "description"
• UNIX:  /usr/openv/netbackup/bin/admincmd/nbkmsutil -createkey -kgname ENCR_volumepoolname -keyname keyname -activate -desc "description"

The -desc switch and message are optional; they can help you identify this key when you display the key.
The -activate option skips the pre-live state and creates this key as active, and is also optional.

10.  Provide the passphrase again when the script prompts you.

In the following example, the key group is called ENCR_pool1 and the key name is Q1_2008_key. The description explains that this key is for the months January, February, and March.
              . .\netbackup\bin\admincmd\nbkmsutil -createkey -kgname ENCR_pool1 -keyname Q1_2008_key -activate -desc "key for Jan, Feb, &Mar"

11.  You can create another key record using the same command; a different key name and description helps you distinguish the key records:
             . .\netbackup\bin\admincmd\nbkmsutil -createkey -kgname ENCR_pool1 -keyname Q2_2008_key -activate -desc "key for Apr, May, &Jun"

Note: If you create more than one key record modify the key by using the command nbkmsutil -modifykey -keyname <key_name> -kgname volumepoolname -activate, only the last key remains active.

12. To list all of the keys that belong to a key group name, use the following command:

• Windows:  ..\netbackup\bin\admincmd\nbkmsutil -listkeys -kgname ENCR_keygroup_name
• UNIX:  /usr/openv/netbackup/bin/admincmd/nbkmsutil -listkeys -kgname ENCR_keygroup_name

Note: Veritas strongly recommends that you keep a record of the output of the nbkmsutil -listkeys command. The key tag that is listed in the output is necessary if you need to recover keys.

13.  To run an encrypted tape backup, you must have a policy that is configured to draw from a volume pool with the same name as your key group.

For example, if the key group name is "ENCR_backup", the volume pool name in NetBackup must also be "ENCR_backup".

14.  When NetBackup runs a tape-encrypted backup, and you view the Images on Media report, you see the encryption key tag that is registered with the record. This key tag is your indication that what was written to tape was encrypted. The encryption key tag uniquely identifies which key was used to encrypt the data.

For more detailed information regarding KMS encryption and configuration, please see the NetBackup Security and Encryption Guide. 

Note:  During KMS backup it was noted in the Detailed Status of the job that items were out of order.  Upon further investigation it was determined that there was a 5 minute time difference between the master and media server.  Once the media server was synchronized to the master server KMS performance improved.

WORM media:

For normal tapes, ENCR_ is the prefix used (case sensitive) for the names of the volume pools.

For WORM tapes, the WENCR_ prefix should be used instead.