Updating the KMS configuration

For some security or compliance reasons, you may want to make the following changes to the KMS configurations.

KMS conversion
Use KMS conversion to convert index-based KMS data containers to KEK-based KMS data containers. You can convert legacy KMS after you upgrade to NetBackup 10.5 from NetBackup 10.2 and earlier versions if KMS encryption was enabled previously. KMS conversion uses Encryption Crawler to update the data containers for datastores with KMS encryption enabled.
See Converting the legacy KMS to KEK-based KMS.
KMS key rotation
Use KMS key rotation to replace the KMS key that is used to encrypt the KEK without changing the underlying existing KEK.
See Performing the KMS key rotation.
KMS KEK rotation
KMS KEK rotation generates a new active KMS KEK and updates the data containers to use the new active KEK's tag. Use KMS KEK rotation if the KEK has been compromised. KMS KEK rotation uses Encryption Crawler to update the data containers for datastores with KMS encryption enabled.
See Performing the KEK rotation.
KMS vendor migration
KMS vendor migration lets you change KMS service providers such as changing from NetBackup KMS to a third-party KMS vendor, a third-party KMS vendor to NetBackup KMS, or third-party KMS vendor A to third-party KMS vendor B. KMS vendor migration requires the user to configure additional KMS service providers before using KMSvendor migration. The KMS key group name on the new KMS service must match the KMS key group name on the current KMS service.
See Migrating the KMS vendor.