Managing legacy encryption key files
This topic describes managing legacy encryption key files.
Each NetBackup client that does encrypted backups and restores needs a key file. The key file contains the data that the client uses to generate DES keys to encrypt backups.
You can use the bpkeyfile command on the client to manage the key file. Check the bpkeyfile command description in the NetBackup Commands Reference Guide for a detailed description.
The first thing that you need to do is to create a key file if it does not already exist. The key file exists if you set a pass phrase from the bpinst -LEGACY_CRYPT command from the server to this client name.
The file name should be the same as the file name that you specified with the CRYPT_KEYFILE configuration option as follows:
For Windows clients, the default key file name is as follows
install_path\NetBackup\var\keyfile.dat
For UNIX clients, the default key file name is as follows
/usr/openv/var/keyfile
NetBackup uses a key file pass phrase to generate a DES key, and it uses the DES key to encrypt a key file.
Generally, you use the key file pass phrase that is hard-coded into NetBackup applications. However, for added security you may want to use your own key file pass phrase.
See Additional legacy key file security for UNIX clients.
Note:
If you do not want to use your own key file pass phrase, do not enter a new key file pass phrase. Instead, use the standard key file pass phrase and enter a new NetBackup pass phrase.
You must decide what NetBackup pass phrase to use. The NetBackup pass phrase is used to generate the data that is placed into the key file. That data is used to generate DES keys to encrypt backups.
To create the default key file on a UNIX client that is encrypted with the standard key file pass phrase, enter a command such as the following:
bpkeyfile /usr/openv/var/keyfile Enter new keyfile pass phrase: (standard keyfile pass phrase) Re-enter new keyfile pass phrase: (standard keyfile pass phrase) Enter new NetBackup pass phrase: *********************** Re-enter new NetBackup pass phrase: ***********************
You may enter new NetBackup pass phrases fairly often. Information about old pass phrases is kept in the key file. This method lets you restore any data that was encrypted with DES keys generated from old pass phrases. You can use the -change_netbackup_pass_phrase (or -cnpp) option on the bpkeyfile command to enter a new NetBackup pass phrase.
If you want to enter a new NetBackup pass phrase on a Windows client, enter a command similar to the following example:
bpkeyfile.exe -cnpp install_path\NetBackup\var\keyfile.dat Enter old keyfile pass phrase: (standard keyfile pass phrase) Enter new NetBackup pass phrase: ********** Re-enter new NetBackup pass phrase: **********
Caution:
You must ensure that pass phrases, whether they are new or were in use previously, are secure and retrievable. If a client's key file is damaged or lost, you need all of the previous pass phrases to recreate the key file. Without the key file, you cannot restore the files that were encrypted with the pass phrases.
The key file must only be accessible to the administrator of the client machine.
For a UNIX client, you must ensure the following:
The owner is root.
The mode bits are 600.
The file is not on a file system that can be NFS mounted.
You must consider whether to back up your key file. For encrypted backups, such a backup has little value, because the key file can only be restored if the key file is already on the client. Instead, you can set up a NetBackup policy that does non-encrypted backups of the key files of the clients. This policy is useful you require an emergency restore of the key file. However, this method also means that a client's key file can be restored on a different client.
If you want to prevent the key file from being backed up, add the key file's path name to the client's exclude list.