Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section III. Encryption of data at rest
  7. NetBackup key management service
  9. KMS database constituents
  11. Creating an empty KMS database
NetBackup™ Security and Encryption Guide

Creating an empty KMS database

An empty KMS database can be created by executing the command nbkms -createemptydb.

This command prompts you for the following information:

  • HMK pass phrase (leave empty for a random HMK)

  • HMK ID

  • KPK pass phrase (leave empty for a random KPK)

  • KPK ID

The KMS database backup and disaster recovery procedures vary for random and pass phrase-generated KPK and HMK as described below.

To recover when the HMK and KPK were generated randomly

  1. Restore the keystore file from a backup.
  2. Execute the command nbkms -info to find out the KPK ID and HMK ID of the KPK and HMK needed to decrypt this keystore file. The output should also inform you that the HMK and KPK for this keystore file were generated randomly.
  3. Restore the HMK file corresponding to the HMK ID from a secure backup.
  4. Restore the KPK file corresponding to the KPK ID from a secure backup.

Feedback

Was this page helpful?
Previous

KMS database constituents

Next

Importance of the KPK ID and HMK ID

Feedback

Was this page helpful?