Migrating one KMS server to another KMS server
If you have a KMS server configured in your environment (for example NetBackup KMS - KMS1) and you want to migrate to another KMS server (for example external KMS - KMS2), use the following procedure:
To migrate from one KMS server (KMS1) to another KMS server (KMS2)
- Create required keys in KMS2 to ensure all storage pools in the domain that are enabled for encryption have keys in KMS2.
- Run the following command to add the KMS2 configuration in NetBackup:
nbkmscmd -configureKMS -name KMS2 -type KMIP -port port_to_connect_to_external_KMS_server -kmsServerName network_name_of_external_KMS_server -credId credential_ID -credNamecredential_name -enabledForBackup 1 -priority priority_of_KMS_server -server master_server_name -description description
- Run the following command to update the enabledForBackup flag for KMS1:
nbkmscmd -updatekmsconfig -name KMS1 -enabledForBackup 0
So hence forth, none of the backups will be encrypted using keys from KMS1. If a key is required and is not found in KMS2, NetBackup does not fall back to KMS1.
- Ensure that none of the existing backup images are encrypted using KMS1.
- Delete the KMS1 configuration from NetBackup configuration.
If you have the images that were encrypted using the deleted KMS server (KMS1), you cannot restore the data from such images. Reconfigure the KMS server (KMS1) and ensure that the respective keys are available in that KMS server before restoring the data.