Key rotation
With external KMS, you can have one or more keys in a key group that are in active state. NetBackup always picks up the most recent key from the active keys for data encryption. If you want to change key for encryption (rotate key), create a new active key under a specific key group. The most recently created key is used for subsequent encryption request for that key group.
Note:
After any update in external KMS configuration or keys, NetBackup may take some time to consume appropriate key in backup or restore workflow. This is because NetBackup caches the key for 10 minutes (for external KMS).
To immediately consume a key, cache can be cleared by executing the following command on the respective media server:
bpclntcmd -clear_host_cache