Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Security and Encryption Guide
  3. Section III. Encryption of data at rest
  4. Hardware Security Module (HSM) support in NetBackup
  5. Configuring Hardware Security Module on a NetBackup host
NetBackup™ Security and Encryption Guide

Configuring Hardware Security Module on a NetBackup host

The NetBackup command nbhsmcmd can be used to configure NetBackup to leverage HSM. The nbhsmcmd -configure command initiates configuration workflow that requires you to provide the following information about properties of HSM, key to be used, and algorithm.

  • Filesystem path to a shared object (with extensions .so or .dll) that implements PKCS#11 interface as provided by HSM vendor.

  • HSM device (token) - configure a human-friendly name for this field.

  • User PIN to access HSM. NetBackup never mutates HSM, therefore security officer (SO) PIN is not required.

  • A pseudo identifier for the HSM key in NetBackup.

  • Label of key that is configured in HSM. This label must exist in HSM for NetBackup to use.

  • The key algorithm name. Possible values are as follows:

    Note:

    Not all algorithms are supported by all HSM modules and vendors.

    NetBackup supports the following algorithms for HSM usage: AES-GCM, AEC-CBC, AES-CBC-PAD and AES-CTR

    • AES-GCM

    • AEC-CBC

    • AES-CBC-PAD

    • AES-CTR

If HSM key, token pin, or PKCS#11 library path needs to be changed after the configuration, use the nbhsmcmd -update command to update the parameters.

The nbhsmcmd -list command lists the HSM configuration on a NetBackup host in JSON format.

For more details on NetBackup commands, see the NetBackup Commands Reference Guide.

Feedback

Was this page helpful?
Previous

Overview of Hardware Security Modules (HSM)

Next

Protecting host ID artefacts in NetBackup using HSM

Feedback

Was this page helpful?