Using a separate KMS server for each storage configuration
You may want to use separate KMS servers for different storage configurations. For example, you can use one KMS server for tape storage and another for cloud storage. You can also use separate KMS servers for different tape volumes or for different MSDP storage servers.
NetBackup looks for keys from key groups. Each key group is associated with one storage. For example, every encryption-enabled tape volume has a corresponding key group.
To use separate KMS servers for tape and cloud storage
- Add the first KMS configuration in NetBackup, say KMS1. The default value of the enableForBackup attribute for KMS1 is 1.
- Add the second KMS configuration in NetBackup, say KMS2. The default value of the enableForBackup attribute for KMS2 is 1.
See Configuring KMS.
- Create all the required key groups and keys for tapes in KMS1. Ensure that none of the key groups correspond to cloud storage.
- Create all the required key groups and keys for cloud storage in KMS2. Ensure that none of the key groups correspond to tape.
See Configuring keys in an external KMS for NetBackup consumption.
- To verify the configuration, run backups using tape and cloud storage.
Encryption-enabled storage servers of type tape and cloud use different KMS servers. During backup, NetBackup fetches the ordered KMS list and looks for the key group in the first KMS server and then the other one.
So, if KMS1 has higher priority than KMS2, KMS1 is first searched for the required key. Even for backups going on cloud storage, the key request first goes to KMS1 and then KMS2. Therefore, you need to ensure that KMS1 does not have any key group that corresponds to cloud storage.
During restores as well, the keys are searched in the available KMS servers based on the priority.