Working with multiple KMS servers
NetBackup supports multiple KMS servers. You can use multiple KMS servers and migrate from one KMS server to another. You can also use a separate KMS server for each storage configuration like tape, cloud, and MSDP.
See Migrating one KMS server to another KMS server.
See Using a separate KMS server for each storage configuration.
To use multiple KMS servers effectively, you need to define the following KMS configuration attributes:
enableForBackup | Specifies whether keys from this KMS should be used for backup or not. The default value is 1. Provide 0 if the keys from this KMS server should not be used for backup. This attribute does not affect restores. If there is backup image, that was encrypted using the key from this KMS, during restore NetBackup uses this KMS server and fetches the keys to restore the data. These KMS servers can still be used for restoring an image. So, if you want to delete the KMS configuration, ensure that there are no images that are encrypted with keys of this KMS server. If the key is lost, the data cannot be restored from that image and it will be lost. During KMS server migration, at least one KMS configuration should have this property set to 1 else all the backups will fail. |
priority | Specifies the KMS server to be used when NetBackup checks for keys during encryption or decryption. By default, the KMS server priority is set to 0. A KMS server with the highest value gets the first priority to be used during encryption or decryption. During backup or restore, NetBackup uses the ordered list of KMS servers, based on their priority to fetch keys. So, KMS with highest priority is used first to fetch keys. If multiple KMS servers have the same priority, one of them is used. |
While configuring a KMS (using CLI or API) in NetBackup you can choose a value for these attributes. The options to set these attributes are available in the configureKMS and updateKMSConfig options in the nbkmscmd CLI operation.
See Configuring KMS.