Working with external KMS during backup and restore
Backup
KMS workflow during backup
- When you run a backup job, the media server sends the key request based on the key group name or disk pool name to the KMS web service.
- Keys in an external KMS server are created with an attribute x-keygroup.
Key group names for tape volume pools must have ENCR_ as a prefix.
- The KMS web service connects with the external KMS server and validates if an active key with custom attribute x-keyGroup is present. If the key is present, the key is retrieved and returned to the media server.
- If the external KMS is not configured or no such key is available in the external KMS, the web service falls back to nbkms for the key lookup.
Restore
KMS workflow during restore
- During restore, the media server sends Key ID or KAD (key associated data) to the KMS web service to retrieve the key.
- The KMS web service connects to all the KMS servers and retrieves all the possible keys that match KAD.
- The media server uses all the keys to find the matching key and uses that key to decrypt the image.
- If the KMS is configured and used for backup and restore, you can see the KMS configuration details in the job details for tape, AdvancedDisk, and cloud storage types.
Note:
The KMS configuration details do not appear in the job details in case of MSDP.