Veritas NetBackup™ Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- Configuring Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups
- Security management in NetBackup
- About the Security Management utilities
- About audit events
- About host management
- Adding shared or cluster mappings
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Security certificate deployment in a clustered NetBackup setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- Regenerating keys and certificates
- NetBackup web services account
KMS considerations
The following table describes the considerations that relate to the functionality and use of KMS.
Table: Considerations that relate to the functionality and use of KMS
Consideration | Description |
---|---|
New NBKMS service | The nbkms service is a master-server-based service that provides encryption keys to the media server BPTM processes. |
New nbkmsutil KMS configuration utility | For security reasons, the KMS configuration utility can only be run from the master server as root or administrator. |
NetBackup wide changes | Changes were necessary throughout NetBackup for the following:
|
KMS installation and deployment decisions | Following are decisions you must make for KMS deployment:
|
KMS security | No burden is placed on existing NetBackup services with additional security concerns. |
Cipher types | |
KMS recoverability | You can use KMS in such a way where all of the encryption keys are generated from pass phrases. You can record these pass phrases and then use them at a later time to recreate the entire KMS for NetBackup. |
KMS files | KMS files associated with it where information on the keys is kept, as follows:
|
Key records | Key records contain many fields but the primary records are the encryption key, the encryption key tag, and the record state. Key records also contain some metadata. These key records are defined as follows:
|
Key groups | Key groups are a logical name and grouping of key records. All key records that are created must belong to a group. A key group can only have one active state key record at any time. NetBackup supports 100 key groups. Only 10 encryption keys are allowed per key group. |
Tape drives and media capabilities | Drive, tape, and NetBackup capabilities must all match for drive encryption to be successful. A number of drives adhere to the T10 standard. Some well-known tape drives we support (that adhere to the T10 standard) are LT0-4, LT0-5, LT0-6, IBM TS1120/30/40, Oracle T10000B/C, and so on. You can still run earlier LTO versions for reading and writing but you cannot encrypt the data. For example, if you use LT02 media, that data can be read in LT04 drives but they cannot be written in either unencrypted or encrypted format. You must keep track of these drive issues and media issues as you run setup encryption. Not only do you need the drives that are capable of encryption but the media needs to be grouped and capable of encryption. For later decryption the tape must be placed in a drive that is capable of decryption. Refer to Table: Media support for encryption for brief information about interoperability between media and tape drives. Veritas recommends that you refer to vendor-specific user guides for detailed information. Refer to the article HOWTO56305 for more details. |
KMS with NBAC | Information on using KMS with NBAC is included where applicable in various sections of this document. For further information, refer to the NetBackup NBAC documentation. |
KMS with HA clustering | Information on using KMS with HA clustering is included where applicable in various sections of this document. For further information, refer to the NetBackup HA documentation |
KMS logging | The service uses the new unified logging and has been assigned OID 286. The nbkmsutil command uses traditional logging and its logs can be found in the file /usr/openv/netbackup/logs/admin/*.log. |
KMS with Cloud | Information on using KMS with Cloud providers is included where applicable in various sections of this document. For further information, refer to the NetBackup Cloud Administrator's Guide. |
KMS with AdvancedDisk | Information on using KMS with AdvancedDisk storage is included where applicable in various sections of this document. For further information, refer to the NetBackup AdvancedDisk Storage Solutions Guide. |
NBAC and KMS permissions | Typically when using NBAC and the Setupmaster command is run, the NetBackup related group permissions (for example, NBU_Admin and KMS_Admin) are created. The default root and administrator users are also added to those groups. In some cases the root and administrator users are not added to the KMS group when NetBackup is upgraded. The solution is to grant the root and administrator users NBU_Admin and KMS_Admin permissions manually. |
Table: Media support for encryption
Media | LTO4 tape drives | LTO5 tape drives | LTO6 tape drives |
---|---|---|---|
LTO-2 media | Read only no encryption support | Not supported | Not supported |
LTO-3 media | Read and Write no encryption support | Read only no encryption support | Not supported |
LTO-4 media | Read and Write encryption enabled | Read and Write encryption enabled | read-only encryption enabled |
LTO-5 media | Not supported | Read and Write encryption enabled | Read and Write encryption enabled |
LTO-6 media | Not supported | Not supported | Read and Write encryption enabled |