Configuring Hardware Security Module on a NetBackup host
The NetBackup command nbhsmcmd can be used to configure NetBackup to leverage HSM. The nbhsmcmd -configure command initiates configuration workflow that requires you to provide the following information about properties of HSM, key to be used, and algorithm.
Filesystem path to a shared object (with extensions .so or .dll) that implements PKCS#11 interface as provided by HSM vendor.
HSM device (token) - configure a human-friendly name for this field.
User PIN to access HSM. NetBackup never mutates HSM, therefore security officer (SO) PIN is not required.
A pseudo identifier for the HSM key in NetBackup.
Label of key that is configured in HSM. This label must exist in HSM for NetBackup to use.
The key algorithm name. Possible values are as follows:
Note:
Not all algorithms are supported by all HSM modules and vendors.
NetBackup supports the following algorithms for HSM usage: AES-GCM, AEC-CBC, AES-CBC-PAD and AES-CTR
AES-GCM
AEC-CBC
AES-CBC-PAD
AES-CTR
If HSM key, token pin, or PKCS#11 library path needs to be changed after the configuration, use the nbhsmcmd -update command to update the parameters.
The nbhsmcmd -list command lists the HSM configuration on a NetBackup host in JSON format.
For more details on NetBackup commands, see the NetBackup Commands Reference Guide.