Veritas NetBackup™ Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- About Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Configuring user groups
- About defining a user group and users
- Viewing specific user permissions for NetBackup user groups
- About AD and LDAP domains
- Security management using NetBackup CA and NetBackup certificates
- About the Security Management utilities
- About audit events
- About host management
- Adding shared or cluster mappings
- Allowing or disallowing automatic certificate reissue
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About NetBackup certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Host ID-based certificate deployment in a clustered setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- External CA support in NetBackup
- About external CA support in NetBackup
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About certificate revocation lists for external CA
- About certificate enrollment
- Configuring an external certificate for the NetBackup web server
- About external certificate configuration for a clustered master server
- Configuration options for external CA-signed certificates for a virtual name
- About API keys in NetBackup
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- Regenerating keys and certificates
- NetBackup web services account
The following procedure describes how to install KMS.
For more information on configuring KMS in a Cloud storage environment refer to the NetBackup Cloud Administrator's Guide.
The KMS service is called nbkms.
The service does not run until the data file has been set up, which minimizes the effect on environments not using KMS.
To install KMS
- Run the nbkms -createemptydb command.
- Enter a pass phrase for the host master key (HMK). You can also press Enter to create a randomly generated key.
- Enter an ID for the HMK. This ID can be anything descriptive that you want to use to identify the HMK.
- Enter a pass phrase for the key protection key (KPK).
- Enter an ID for the KPK. The ID can be anything descriptive that you want to use to identify the KPK.
The KMS service starts when after you enter the ID and press Enter.
- Start the service by running the following command:
- Use the grep command to ensure that the service has started, as follows:
ps -ef | grep nbkms
- Create the key group. The key group name must be an identical match to the volume pool name. All key group names must have a prefix ENCR_.
When using key management with Cloud storage, the ENCR_ prefix is not required for the key group name.
To create a (non-Cloud storage) key group use the following command syntax.
nbkmsutil -createkg -kgname ENCR_volumepoolname
The ENCR_ prefix is essential. When BPTM receives a volume pool request that includes the ENCR_ prefix, it provides that volume pool name to KMS. KMS identifies it as an exact match of the volume pool and then picks the active key record for backups out of that group.
To create a Cloud storage key group use the following command syntax.
nbkmsutil -createkg -kgname cloud_provider_URL:volume_name
- Create a key record by using the -createkey option.
nbkmsutil -createkey -kgname ENCR_volumepool -keyname keyname -activate -desc "message"
The key name and message are optional; they can help you identify this key when you display the key.
The -activate option skips the prelive state and creates this key as active.
- Provide the pass phrase again when the script prompts you.
In the following example the key group is called ENCR_pool1 and the key name is Q1_2008_key. The description explains that this key is for the months January, February, and March.
nbkmsutil -createkey -kgname ENCR_pool1 -keyname Q1_2008_key -activate -desc "key for Jan, Feb, & Mar"
- You can create another key record using the same command; a different key name and description help you distinguish they key records:
nbkmsutil -createkey -kgname ENCR_pool1 -keyname Q2_2008_key -activate -desc "key for Apr, May, & Jun"
If you create more than one key record by using the command nbkmsutil -kgname name -activate, only the last key remains active.
- To list all of the keys that belong to a key group name, use the following command:
nbkmsutil -listkeys -kgname keyname
Veritas recommends that you keep a record of the output of the nbkmsutil -listkeys command. The key tag that is listed in the output is necessary if you need to recover keys.
The following command and output use the examples in this procedure.