Additional security considerations for MSDP media servers
This information is applicable only for MSDP storage servers.
Starting with NetBackup 11.1, the KMIP Encrypt/Decrypt operations are preferably used to communicate with an external KMS server. If the KMS server does not support the Encrypt/Decrypt operations, NetBackup automatically starts using the GetKey operation to communicate with the KMS server.
With the GetKey operation, the key is transferred from KMS server to NetBackup primary server and this may cause security issues.
For enhanced security, you can configure NetBackup to disable the transfer of the key from the KMS server to the NetBackup primary server. The KMIP server must support the Encrypt/Decrypt operations for encryption and decryption to function as required.