Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. Veritas NetBackup™ Cloud Administrator's Guide
  5. Configuring cloud storage in NetBackup
  7. About key management for encryption of NetBackup cloud storage
Veritas NetBackup™ Cloud Administrator's Guide

About key management for encryption of NetBackup cloud storage

NetBackup uses the Key Management Service (KMS) to manage the keys for the data encryption for disk storage. KMS is a NetBackup master server-based symmetric key management service. The service runs on the NetBackup master server. An additional license is not required to use the KMS functionality.

NetBackup uses KMS to manage the encryption keys for cloud storage.

See About data encryption for cloud storage.

The following table describes the keys that are required for the KMS database. You can enter the pass phrases for these keys when you use the Cloud Storage Server Configuration Wizard.

Table: Encryption keys required for the KMS database

Key

Description

Host Master Key

The Host Master Key protects the key database. The Host Master Key requires a pass phrase and an ID. KMS uses the pass phrase to generate the key.

Key Protection Key

A Key Protection Key protects individual records in the key database. The Key Protection Key requires a pass phrase and an ID. KMS uses the pass phrase to generate the key.

The following table describes the encryption keys that are required for each storage server and volume combination. If you specify encryption when you configured the cloud storage server, you must configure a pass phrases for the key group for the storage volumes. You enter the pass phrase for these keys when you use the Disk Pool Configuration Wizard.

Table: Encryption keys and key records for each storage server and volume combination

Item

Description

Key group key

A key group key protects the key group. Each storage server and volume combination requires a key group, and each key group key requires a pass phrase. The key group name must use the format for the storage type that is described as follows:

For cloud storage, the following is the format:

storage_server_name:volume_name

The following items describe the requirements for the key group name components for cloud storage:

  • storage_server_name: You must use the same name that you use for the storage server. The name can be a fully-qualified domain name or a short name, but it must be the same as the storage server.

  • The colon (:) is required after the storage_server_name.

  • volume_name: You must specify the LSU name that the storage vendor exposes to NetBackup.

The Disk Pool Configuration Wizard conforms to this format when it creates a key group.

Key record

Each key group that you create requires a key record. A key record stores the actual key that protects the data for the storage server and volume.

A name for the key record is optional. If you use a key name, you can use any name. Veritas recommends that you use the same name as the volume name. The Disk Pool Configuration Wizard does not prompt for a key record key; it uses the volume name as the key name.

More information about KMS is available in the NetBackup Security and Encryption Guide.

Feedback

Was this page helpful?
Previous

About data encryption for cloud storage

Next

About cloud storage servers

Feedback

Was this page helpful?