Veritas NetBackup™ Cloud Administrator's Guide
- About NetBackup cloud storage
- About the cloud storage
- About the Amazon S3 cloud storage API type
- About protecting data in Amazon for long-term retention
- Protecting data using Amazon's cloud tiering
- About using Amazon IAM roles with NetBackup
- Protecting data with Amazon Snowball and Amazon Snowball Edge
- About Microsoft Azure cloud storage API type
- About OpenStack Swift cloud storage API type
- Configuring cloud storage in NetBackup
- Scalable Storage properties
- Cloud Storage properties
- About the NetBackup CloudStore Service Container
- About the NetBackup media servers for cloud storage
- Configuring a storage server for cloud storage
- NetBackup cloud storage server properties
- Configuring a storage unit for cloud storage
- Changing cloud storage disk pool properties
- Monitoring and Reporting
- Operational notes
- About unified logging
- About legacy logging
- Troubleshooting cloud storage configuration issues
- Troubleshooting cloud storage operational issues
About key management for encryption of NetBackup cloud storage
NetBackup uses the Key Management Service (KMS) to manage the keys for the data encryption for disk storage. KMS is a NetBackup master server-based symmetric key management service. The service runs on the NetBackup master server. An additional license is not required to use the KMS functionality.
NetBackup uses KMS to manage the encryption keys for cloud storage.
The following table describes the keys that are required for the KMS database. You can enter the pass phrases for these keys when you use the Cloud Storage Server Configuration Wizard.
Table: Encryption keys required for the KMS database
Host Master Key
The Host Master Key protects the key database. The Host Master Key requires a pass phrase and an ID. KMS uses the pass phrase to generate the key.
Key Protection Key
A Key Protection Key protects individual records in the key database. The Key Protection Key requires a pass phrase and an ID. KMS uses the pass phrase to generate the key.
The following table describes the encryption keys that are required for each storage server and volume combination. If you specify encryption when you configured the cloud storage server, you must configure a pass phrases for the key group for the storage volumes. You enter the pass phrase for these keys when you use the Disk Pool Configuration Wizard.
Table: Encryption keys and key records for each storage server and volume combination
Key group key
A key group key protects the key group. Each storage server and volume combination requires a key group, and each key group key requires a pass phrase. The key group name must use the format for the storage type that is described as follows:
For cloud storage, the following is the format:
The following items describe the requirements for the key group name components for cloud storage:
The Disk Pool Configuration Wizard conforms to this format when it creates a key group.
Each key group that you create requires a key record. A key record stores the actual key that protects the data for the storage server and volume.
A name for the key record is optional. If you use a key name, you can use any name. Veritas recommends that you use the same name as the volume name. The Disk Pool Configuration Wizard does not prompt for a key record key; it uses the volume name as the key name.
More information about KMS is available in the NetBackup Security and Encryption Guide.