Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Security and Encryption Guide
  3. Section III. Encryption of data at rest
  4. Cloud key management service configuration in NetBackup
  5. Examples of cloud KMS configuration using nbkmscmd command
NetBackup™ Security and Encryption Guide

Examples of cloud KMS configuration using nbkmscmd command

The -keyname parameter of the nbkmscmd command specifies the unique identifier of the cloud KMS key:

  • For AWS: KMS Key ARN (for example: arn:aws:kms:ap-south- 1:123456789012:key/abcd1234-56ef-78gh-90ij-klmnopqrstuv)

  • For GCP: Resource Name (for example: projects/demo-project/locations/useast1/ keyRings/demo-ring/cryptoKeys/demo-key)

  • For Azure: Key URI (for example: https://demo-keyvault.vault.azure.net/keys/demokey/ abcd1234567890)

The -keyGroupName parameter can be a name that you can use in NetBackup for easier identification and management. This is the name that you can use to create MSDP storage server.

Amazon Web Services (AWS)

nbkmscmd -createKey \

-name aws-kms-server-name \

-keyname arn:aws:kms:region:account-id:key/key-id \

-keyGroupName aws-key-group-name \

-algorithm AWS_SYMMETRIC_DEFAULT

nbkmscmd -createKey \

-name aws-kms-server-name \

-keyname arn:aws:kms:region:account-id:key/key-id \

-keyGroupName aws-key-group-name \

-algorithm RSA_OAEP_256

Google Cloud Platform (GCP)

nbkmscmd -createKey \

-name gcp-kms-server-name \

-keyname projects/project-id/locations/<location>/keyRings/<key-ringname>/ cryptoKeys/crypto-key-name \

-keyGroupName gcp-key-group-name \

-algorithm GOOGLE_SYMMETRIC_ENCRYPTION

Microsoft Azure

nbkmscmd -createKey \

-name azure-kms-server-name \

-keyname https://keyvault-name.vault.azure.net/keys/key-name \

-keyGroupName azure-key-group-name \

-algorithm RSA_OAEP_256

Feedback

Was this page helpful?
Previous

Add a key in NetBackup to use the cloud KMS server

Next

Hardware Security Module (HSM) support in NetBackup

Feedback

Was this page helpful?