About cloud KMS
Along with NetBackup KMS and external KMS, NetBackup now supports cloud KMS to manage data-at-rest encryption keys.
The following cloud providers are supported for cloud KMS configuration in NetBackup:
Amazon Web Services (AWS)
Google Cloud Platform (GCP)
Microsoft Azure
Backup images stored on MSDP storage servers can be encrypted using keys that are maintained in the respective Cloud KMS. NetBackup authenticates with the Cloud KMS using credentials configured in the NetBackup Credential Management System.
Optionally, you can configure an HTTP or HTTPS proxy server to communicate with cloud KMS. Proxy server credentials are managed through the NetBackup Credential Management System using the NetBackup web UI.
Cloud KMS is supported only on MSDP storage servers. Tapes, advanced disks, or cloud storage servers are not supported.
Amazon Web Services (AWS)
Both symmetric and asymmetric RSA keys are supported.
For asymmetric RSA keys, RSA_OAEP and RSA_OAEP_256 algorithms are supported.
For symmetric keys, the AWS-managed symmetric encryption algorithm is used.
Google Cloud Platform (GCP)
Only symmetric keys are supported.
For symmetric keys, the Google-managed symmetric encryption algorithm is used.
Microsoft Azure
Only Key Vaults are supported.
Only asymmetric RSA keys are supported.
RSA_OAEP and RSA_OAEP_256 algorithms are supported.
Hardware Security Module (HSM)-backed keys are not supported.