Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Security and Encryption Guide
  3. Section III. Encryption of data at rest
  4. Hardware Security Module (HSM) support in NetBackup
  5. Moving back to file store-based encryption
NetBackup™ Security and Encryption Guide

Moving back to file store-based encryption

After private key of host ID certificate is encrypted using HSM and if it is required to move out of HSM, the private key can be encrypted using keys that are stored on file systems. Note that the file store-based encryption is the default option.

To move back to file store-based encryption

  1. Run the following command to change the NetBackup configuration parameter:

    'nb_cipher_keystore_type' #nbsetconfig nbsetconfig > NB_CIPHER_KEYSTORE_TYPE = nbsetconfig >

  2. Run the following command to rotate the passphrase key:

    nbcertcmd -rotatepassphrasekey

  3. Use the nbcertcmd -listcertdetails command to list the host ID certificate details.

    Check the 'Private Key Encryption State' to ensure that the passphrase of the host ID certificate's private key is encrypted using file store.

Feedback

Was this page helpful?
Previous

Protecting host ID artefacts in NetBackup using HSM

Next

Migrating from one HSM to another HSM

Feedback

Was this page helpful?