Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section III. Encryption of data at rest
  7. External key management service
  9. Creating keys in an external KMS
NetBackup™ Security and Encryption Guide

Creating keys in an external KMS

You can use NetBackup to create keys in an external KMS. NetBackup must have the required permissions to create keys in the external KMS.

To create keys in an external KMS

  • Run the following command:

    nbkmscmd -createkey -name configuration_name -keyGroupName keygroup_name -keyName key_name -comment comments

    The createKey command creates a key in active state. For external KMS, you can have multiple active keys in a key group. NetBackup uses the latest active key. The command also sets all the required attributes for the key.

    Note:

    After any update in external KMS configuration or key related changes, NetBackup may take some time to consume appropriate key in backup or restore workflow. This is because NetBackup caches the key for 10 min (for external KMS). To consume the key immediately, run the following command on the respective media server to clear the cache:

    bpclntcmd -clear_host_cache.

Feedback

Was this page helpful?
Previous

Configuring keys in an external KMS for NetBackup consumption

Next

Listing keys

Feedback

Was this page helpful?