Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section III. Encryption of data at rest
  7. External key management service
  9. Working with external KMS during backup and restore
NetBackup™ Security and Encryption Guide

Working with external KMS during backup and restore

Backup

KMS workflow during backup

  1. When you run a backup job, the media server sends the key request based on the key group name or disk pool name to the KMS web service.
  2. Keys in an external KMS server are created with an attribute x-keygroup.

    Key group names for tape volume pools must have ENCR_ as a prefix.

  3. The KMS web service connects with the external KMS server and validates if an active key with custom attribute x-keyGroup is present. If the key is present, the key is retrieved and returned to the media server.
  4. If the external KMS is not configured or no such key is available in the external KMS, the web service falls back to nbkms for the key lookup.
Restore

KMS workflow during restore

  1. During restore, the media server sends Key ID or KAD (key associated data) to the KMS web service to retrieve the key.
  2. The KMS web service connects to all the KMS servers and retrieves all the possible keys that match KAD.
  3. The media server uses all the keys to find the matching key and uses that key to decrypt the image.
  4. If the KMS is configured and used for backup and restore, you can see the KMS configuration details in the job details for tape, AdvancedDisk, and cloud storage types.

    Note:

    The KMS configuration details do not appear in the job details in case of MSDP.

Feedback

Was this page helpful?
Previous

Using a separate KMS server for each storage configuration

Next

Key rotation

Feedback

Was this page helpful?