Configuring keys in an external KMS for NetBackup consumption
NetBackup can use the keys that are already created in an external KMS or you can create keys in an external KMS using NetBackup, for which the NetBackup master server needs to be authorized to create keys.
NetBackup can discover the keys that are created in an external KMS for the NetBackup use. Specify custom attributes x-application and x-keygroup while generating keys or associate these attributes to the existing keys, so NetBackup can determine the keys to be used. NetBackup uses any key that has these attributes for encryption purpose.
Key group name for tape volume pool must have ENCR_ as a prefix.
Consider the following example: You have configured a tape volume pool with name ENCR_P1. The volume pool name suggests that the backup images in this volume pool are encrypted.
x-keygroup is case-sensitive and it should exactly match the volume pool name.
To configure keys
- Create a key in an external KMS with the custom attribute x-keygroup and its value as ENCR_P1.
- Set the custom attribute x-application with its value as NetBackup to indicate that this key belongs to NetBackup.
- For the keys that are already created and are to be used for encryption for this volume pool, you can create the custom attributes.
- To set these attributes, you can use the user interface that the respective KMS vendor has specified.
If the user interface of the KMS vendor does not support adding and setting custom attributes, you can use the nbkmiputil command to set the attributes for the keys.
nbkmiputil -kmsServer kms_server_name -port 5696 -certPath cert_path -privateKeyPath private_key_path -trustStorePath caCertificatePath -setAttribute -attributeName attributeName -attributeValue attributeVal
See the NetBackup Commands Reference Guide for more information on the command.