Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Security and Encryption Guide
  3. Section III. Encryption of data at rest
  4. External key management service configuration in NetBackup
  5. Configuring KMS credentials
NetBackup™ Security and Encryption Guide

Configuring KMS credentials

To configure external KMS in NetBackup, you need to first configure the credentials that NetBackup uses to authenticate with the external KMS server. As part of this step, you need to specify the path for public key Infrastructure (PKI) artifacts that are required for certificate-based authentication. The following information is required:

  • Certificate file path

  • Keystore file path

  • Trust store file path

  • Passphrase or passphrase file path

Note:

After external KMS configuration or keys are updated, NetBackup may take several minutes to consume appropriate key in backup or restore workflow. This is because NetBackup caches the key for 10 minutes (for external KMS). To immediately consume a key, cache can be cleared by executing the following command on the respective media server:

bpclntcmd -clear_host_cache

To configure KMS credentials

  • Run the nbkmscmd -configureCredential command:

    This command creates a copy of files that are provided on the command-line interface and stores them into the credentials database. When the command is successfully executed, you can delete these files if you do not need them. NetBackup does not track any updates to these files. If the certificate needs to be updated, typically in case of renewal, you need to run the nbkmscmd -updateCredential command again with new certificate files.

    nbkmscmd -configureCredential -credName credential_name -certPath certificate_file_path -privateKeyPath private_key_file_path -trustStorePath CA_certificate_file_path [-passphrasePath private_key_passphrase_file_path] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-server master_server_name] [-description description]

Feedback

Was this page helpful?
Previous

Validating KMS credentials

Next

Listing KMS credentials

Feedback

Was this page helpful?