Managing passphrases and passphrase keys for encryption of private key of host ID-based certificates
Randomly-generated passphrases are used to encrypt and decrypt the private keys of NetBackup host ID-based certificates. Passphrase keys are used to encrypt and decrypt these passphrases. There is one passphrase - passphrase key pair that is used to encrypt and decrypt all the private keys in a keystore. The passphrase that is used to encrypt the private keys is itself encrypted using another passphrase key. The passphrase - passphrase key pair is generated when the first key in the keystore is created and stored.
Using a passphrase key to encrypt passphrases adds an additional layer of security as only those users who have access to the passphrase key can decrypt and access the encrypted passphrases. A passphrase key protects a passphrase from unauthorized access and enables centralized management of passphrases. With easy rotation of passphrases, organizations can maintain the security in their NetBackup environment.
Passphrase rotation is the process of updating the existing passphrases. The process makes the system more secure by ensuring that the compromised private keys or passphrases are updated. Rotating the passphrase also encrypts the private keys that are currently in plain text.
Rotating passphrases is essential to reduce the risk of unauthorized access by limiting the time an attacker can exploit a compromised passphrase. It helps protect against brute-force attacks and mitigates the impact of insider threats. Additionally, regular passphrase rotation is often a requirement for compliance with various security standards and regulatory frameworks that helps organizations maintain a secure and compliant environment.
Rotation of a passphrase key: This allows to re-encrypt the passphrase with new passphrase key at regular intervals without hampering the ongoing NetBackup operations.
Rotation of passphrase: If the administrators encounter a security threat, they can rotate the passphrase. This creates a new passphrase - passphrase key pair. Re-encrypt all private keys with the new passphrase. All NetBackup services must be stopped before this operation.
To rotate a passphrase
- Stop the NetBackup services.
Ensure that all NetBackup services are stopped before you proceed.
- Run the following command to rotate passphrase:
nbcertcmd -rotatePassphrase
Note:
The default passphrase length is 64 characters.
Run the following command to specify the passphrase length:
nbcertcmd -rotatePassphrase -length 1023
The length ranges from 32 to 1023.
- Start the NetBackup services.
To rotate the passphrase key
- Run the following command:
nbcertcmd -rotatePassphraseKey