Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section III. Encryption of data at rest
  7. External key management service
  9. Key rotation
NetBackup™ Security and Encryption Guide

Key rotation

With external KMS, you can have one or more keys in a key group that are in active state. NetBackup always picks up the most recent key from the active keys for data encryption. If you want to change key for encryption (rotate key), create a new active key under a specific key group. The most recently created key is used for subsequent encryption request for that key group.

Note:

After any update in external KMS configuration or keys, NetBackup may take some time to consume appropriate key in backup or restore workflow. This is because NetBackup caches the key for 10 minutes (for external KMS).

To immediately consume a key, cache can be cleared by executing the following command on the respective media server:

bpclntcmd -clear_host_cache

Feedback

Was this page helpful?
Previous

Working with external KMS during backup and restore

Next

Disaster recovery when catalog backup is encrypted using an external KMS server

Feedback

Was this page helpful?