Encrypting backups from the deduplication shell
To encrypt backups on a WORM or an MSDP storage server, you can configure MSDP encryption with or without the Key Management Service (KMS).
Use the following procedures to configure encryption for your backups from the deduplication shell.
To configure MSDP encryption with KMS
- Open an SSH session to the server as the msdpadm user, or for NetBackup Flex Scale, as an appliance administrator.
- Run the following command:
setting encryption enable-kms kms_server=<server> key_group=<key group>
Where <server> is the host name of the external KMS server and <key group> is the KMS server key group name.
- To verify the KMS encryption status, run the setting encryption kms-status command.
To configure MSDP encryption without KMS
- Open an SSH session to the server as the msdpadm user, or for NetBackup Flex Scale, as an appliance administrator.
- Run the following command:
setting encryption enable
- To verify the MSDP encryption status, run the setting encryption status command.
The convert-legacy-kms command migrates the legacy index-based KMS to KEK-based KMS. This migration unencrypts the SO records using the legacy KMS key and then re-encrypts the SO record using the active KEK.
To rotate keys for KEK encryption:
Use the rotate-kektag command to create a new KEK and rotate SO records to the new KEK using the new three-tiered KMS system. In this system, KMS keys now encrypt KEKs which in turn encrypt SOs.
The rotate-kms-keys command rotates the KMS keys under the new KMS system. KEKs, which are stored in the KMS proxy database, are unencrypted using the corresponding KMS key and then re-encrypted using the active KMS key.