Veritas NetBackup™ Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- Configuring Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Configuring user groups
- About defining a user group and users
- Viewing specific user permissions for NetBackup user groups
- Security management in NetBackup
- About the Security Management utilities
- About audit events
- About host management
- Adding shared or cluster mappings
- Allowing or disallowing automatic certificate reissue
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Security certificate deployment in a clustered NetBackup setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- Regenerating keys and certificates
- NetBackup web services account
Managing legacy encryption key files
This topic describes managing legacy encryption key files.
Each NetBackup client that does encrypted backups and restores needs a key file. The key file contains the data that the client uses to generate DES keys to encrypt backups.
You can use the bpkeyfile command on the client to manage the key file. Check the bpkeyfile command description in the NetBackup Commands Reference Guide for a detailed description.
The first thing that you need to do is to create a key file if it does not already exist. The key file exists if you set a pass phrase from the bpinst -LEGACY_CRYPT command from the server to this client name.
For Windows clients, the default key file name is as follows
For UNIX clients, the default key file name is as follows
NetBackup uses a key file pass phrase to generate a DES key, and it uses the DES key to encrypt a key file.
Generally, you use the key file pass phrase that is hard-coded into NetBackup applications. However, for added security you may want to use your own key file pass phrase.
If you do not want to use your own key file pass phrase, do not enter a new key file pass phrase. Instead, use the standard key file pass phrase and enter a new NetBackup pass phrase.
To create the default key file on a UNIX client that is encrypted with the standard key file pass phrase, enter a command such as the following:
bpkeyfile /usr/openv/var/keyfile Enter new keyfile pass phrase: (standard keyfile pass phrase) Re-enter new keyfile pass phrase: (standard keyfile pass phrase) Enter new NetBackup pass phrase: *********************** Re-enter new NetBackup pass phrase: ***********************
You may enter new NetBackup pass phrases fairly often. Information about old pass phrases is kept in the key file. This method lets you restore any data that was encrypted with DES keys generated from old pass phrases. You can use the -change_netbackup_pass_phrase (or -cnpp) option on the bpkeyfile command to enter a new NetBackup pass phrase.
If you want to enter a new NetBackup pass phrase on a Windows client, enter a command similar to the following example:
bpkeyfile.exe -cnpp install_path\NetBackup\var\keyfile.dat Enter old keyfile pass phrase: (standard keyfile pass phrase) Enter new NetBackup pass phrase: ********** Re-enter new NetBackup pass phrase: **********
You must ensure that pass phrases, whether they are new or were in use previously, are secure and retrievable. If a client's key file is damaged or lost, you need all of the previous pass phrases to recreate the key file. Without the key file, you cannot restore the files that were encrypted with the pass phrases.
The key file must only be accessible to the administrator of the client machine.
For a UNIX client, you must ensure the following:
The owner is root.
The mode bits are 600.
The file is not on a file system that can be NFS mounted.
You must consider whether to back up your key file. For encrypted backups, such a backup has little value, because the key file can only be restored if the key file is already on the client. Instead, you can set up a NetBackup policy that does non-encrypted backups of the key files of the clients. This policy is useful you require an emergency restore of the key file. However, this method also means that a client's key file can be restored on a different client.
If you want to prevent the key file from being backed up, add the key file's path name to the client's exclude list.