Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Security and Encryption Guide
  3. Section III. Encryption of data at rest
  4. NetBackup key management service configuration
  5. KMS operations using command-line interface (CLI)
NetBackup™ Security and Encryption Guide

KMS operations using command-line interface (CLI)

The following topics describe the KMS operations that can be performed using command-line interface (CLI):

  • CLI usage help

    See CLI usage help.

  • Create a new key group

    See Create a new key group.

  • Create a new key

    See Create a new key.

  • Modify key group attributes

    See Modify key group attributes.

  • Modify key attributes

    See Modify key attributes.

  • Get details of key groups

    See Get details of key groups.

  • Get details of keys

    See Get details of keys.

  • Delete a key group

    See Delete a key group.

  • Delete a key

    See Delete a key.

  • Recover a key

    See Recover a key.

  • Modify host master key (HMK)

    See Modify host master key (HMK).

  • Get host master key (HMK) ID

    See Get host master key (HMK) ID.

  • Modify key protection key (KPK)

    See Modify key protection key (KPK).

  • Get key protection key (KPK) ID

    See Get key protection key (KPK) ID.

  • Get keystore statistics

    See Get keystore statistics.

  • Quiesce KMS database

    See Quiesce KMS database.

  • Unquiesce KMS database

    See Unquiesce KMS database.

KMS operations with multiperson authorization

The following KMS operations support multiperson authorization:

Starting with NetBackup 10.5, if multiperson authorization is enabled for a key management operation, bpnbat -login is required for this operation. A multiperson authorization ticket is generated and after the ticket is approved, an empty key database is created. For NetBackup releases earlier than 10.5, if multiperson authorization is enabled, you cannot perform the -createemptydb operation.

nbkms

  • -createemptydb

Starting with NetBackup 10.5, if multiperson authorization is enabled for a key management operation, a ticket is generated. After the multiperson authorization ticket is approved, KMS is configured. For NetBackup releases earlier than 10.5, if multiperson authorization is enabled, you cannot perform nbkmsutil operations.

nbkmsutil

  • -createkg

  • -createkey

  • -modifykg

  • -modifykey

  • -deletekg

  • -deletekey

  • -modifyhmk

  • -modifykpk

  • -export

  • -import

  • -recoverkey

Starting with NetBackup 10.5, if multiperson authorization is enabled for a key management operation, bpnbat -login is required for all the nbkmscmd operations. A multiperson authorization ticket is generated and after the ticket is approved, the KMS operation is performed. For NetBackup releases earlier than 10.5, if multiperson authorization is enabled, you cannot perform nbkmscmd operations.

bpnbat -login is required for the nbkmscmd operations that modify or delete the KMS configuration.

nbkmscmd

  • -configureKMS

  • -deleteKMSConfig

  • -updateKMSConfig

  • -deleteCredential

  • -updateCredential

  • -createKey

Feedback

Was this page helpful?
Previous

Backing up the KMS keystore and administrator keys

Next

CLI usage help

Feedback

Was this page helpful?