Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Security and Encryption Guide
  3. Section III. Encryption of data at rest
  4. NetBackup key management service configuration
  5. Configuring KMS
  6. Recovering KMS by regenerating the data encryption key
NetBackup™ Security and Encryption Guide

Recovering KMS by regenerating the data encryption key

You can regenerate the complete KMS database by regenerating the data encryption keys. The goal is to create a brand new empty KMS database and then repopulate it with all your individual key records.

Note:

A randomly-generated key cannot be recovered if it is lost.

To recover KMS by regenerating the data encryption key

  1. Create an empty KMS database by running the following command
    nbkms -createemptydb

    You do not have to use the same host master key and key protection key. You can choose new keys.

  2. Run the nbkmsutil -recoverkey command and specify the key group, key name, and tag.
    nbkmsutil -recoverkey -kgname ENCR_pool1 -keyname Q1_2008_key
      -tag 
    d5a2a3df1a32eb61aff9e269ec777b5b9092839c6a75fa17bc2565f725aafe90

    If you did not keep an electronic copy of the output of the nbkmsutil -listkey command when you created the key, you must enter all 64 characters manually.

  3. Enter the passphrase (and salt) at the prompt. It must be an exact match with the original passphrase you previously provided.

    Salt (if applicable) must match the salt corresponding to the key that you want to recover.

    Note:

    If the tag you enter already exists in the KMS database, you cannot recreate the key.

  4. If the recovered key is the key that you want to use for backups, run the following command to make the key active:
    nbkmsutil -modifykey -kgname ENCR_pool1 -keyname Q1_2008_key
     -state active

    The -recoverkey option places the key record in the inactive state, and it is brought into the KMS database in the inactive state.

  5. If this is a key record that is to be deprecated, run the following command:
    nbkmsutil -modifykey -kgname ENCR_pool1 -keyname Q1_2008_key
    -state deprecated

Feedback

Was this page helpful?
Previous

Recovering KMS by restoring only the KMS data file

Next

Problems backing up the KMS data files

Feedback

Was this page helpful?