Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Security and Encryption Guide
  3. Section III. Encryption of data at rest
  4. Cloud key management service configuration in NetBackup
  5. Creating credentials in the cloud with permissions to access the created key
NetBackup™ Security and Encryption Guide

Creating credentials in the cloud with permissions to access the created key

NetBackup supports the following credential types with respect to the supported cloud providers:

  • Amazon Web Services (AWS)

    • Access key - requires access key ID and secret access key.

    • IAM role - assign the role to the EC2 instance that runs the NetBackup primary server. The role must have KMS permissions (kms:Encrypt, kms:Decrypt) for the key you want to use.

  • Google Cloud Platform (GCP)

    • Service account - requires client email address, private key, project ID, private key ID, and client ID. The service account must be granted the cloud KMS CryptoKey Encrypter/Decrypter role (roles/cloudkms.cryptoKeyEncrypterDecrypter).

    • Application default credentials - attach a service account to the VM that runs the NetBackup primary server. This service account must have the roles/cloudkms.cryptoKeyEncrypterDecrypter role for the cloud KMS key.

  • Microsoft Azure

    • Service principal - requires client ID, tenant ID, and secret key. The service principal must be granted Cryptographic Operations (encrypt, decrypt) permissions on the key in Azure key vault.

    • Managed identity - assign the managed identity to the Azure VM that runs the NetBackup primary server, and ensure that it has encrypt and decrypt permissions on the key vault key.

Feedback

Was this page helpful?
Previous

Workflow to configure cloud KMS in NetBackup

Next

Add a credential for cloud KMS

Feedback

Was this page helpful?