Veritas NetBackup™ Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- Configuring Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups
- Security management in NetBackup
- About the Security Management utilities
- About audit events
- About host management
- Adding shared or cluster mappings
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Security certificate deployment in a clustered NetBackup setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- Regenerating keys and certificates
- NetBackup web services account
About FIPS enabled KMS
NetBackup KMS can now be operated in the FIPS mode, wherein the encryption keys that you create are always FIPS approved. FIPS configuration is enabled by default.
When you create a new key, a salt is always generated with the new key. Providing the salt value is mandatory when you want to recover a key.
Consider the following example; hrs09to12hrs is a key created using an older version of NetBackup:
Key Group Name : ENCR_Monday
Supported Cipher : AES_256
Number of Keys : 8
Has Active Key : Yes
Creation Time : Wed Feb 25 22:46:32 2015
Last Modification Time: Wed Feb 25 22:46:32 2015
Description : -
Key Tag : 5e16a6ea988fc8ec7cc9bdbc230811b65583cdc0437748db4521278f9c1bbdf9
Key Name : hrs09to12hrs
Current State : ACTIVE
Creation Time : Wed Feb 25 22:50:01 2015
Last Modification Time: Wed Feb 25 23:14:18 2015
Description : active
The key hrs09to12hrs is moved from key group ENCR_Monday to a new key group ENCR_77.
C:\Program Files\Veritas\NetBackup\bin\admincmd>nbkmsutil -modifykey -keyname hrs09to12hrs -kgname ENCR_Monday -move_to_kgname ENCR_77
Key details are updated successfully
Now list all the keys of the ENCR_77 key group. Note that the new key Fips77 would be FIPS approved, but not hrs09to12hrs that was created using an older version of NetBackup.
C:\Program Files\Veritas\NetBackup\bin\admincmd>nbkmsutil -listkeys -kgname NCR_77
Key Group Name : ENCR_77 Supported
Cipher : AES_256
Number of Keys : 2
Has Active Key : Yes
Creation Time : Thu Feb 26 04:44:12 2015
Last Modification Time: Thu Feb 26 04:44:12 2015
Description : -
Key Tag : 5e16a6ea988fc8ec7cc9bdbc230811b65583cdc0437748db4521278f9c1bbdf9
Key Name : hrs09to12hrs
Current State : ACTIVE
Creation Time : Wed Feb 25 22:50:01 2015
Last Modification Time: Thu Feb 26 04:48:17 2015
Description : active
FIPS Approved Key : No
Key Tag : 4590e304aa53da036a961cd198de97f24be43b212b2a1091f896e2ce3f4269a6
Key Name : Fips77
Current State : INACTIVE
Creation Time : Thu Feb 26 04:44:58 2015
Last Modification Time: Thu Feb 26 04:48:17 2015
Description : active
FIPS Approved Key : Yes
Salt : 53025d5710ab36ac1099194fb97bad318da596e27fdfe1f2
Number of Keys: 2
The new key Fips77 is FIPS approved and also has a Salt value.
KMS with FIPS compliance is supported on the following platforms:
MS Windows Server 2012
Linux.2.6.16 x86-64 Suse-10
Linux.2.6.18 x86-64 RHEL-5
HP-UX IA64 11.31
AIX 5.3 TL12 SP2
AIX 5.3 TL12 SP2