Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. Veritas NetBackup™ Deduplication Guide
  5. Configuring deduplication
  7. About MSDP Encryption using KMS service
  9. Upgrading KMS for MSDP
Veritas NetBackup™ Deduplication Guide

Upgrading KMS for MSDP

During the NetBackup upgrade, KMS rolling conversion runs along with MSDP encryption rolling conversion.

The supported NetBackup upgrade paths are:

  • NetBackup 7.7.3 to 8.1.2

  • NetBackup 8.0 to 8.1.1

  • NetBackup 8.1 to 8.1.1

For additional information, refer to the Configuring KMS section in the &CompanyNameShort; NetBackup Security and Encryption Guide.

Before you upgrade KMS, complete the following steps:

Note:

The following steps are not supported on Solaris OS. For Solaris, refer to the following article:

Upgrade KMS encryption for MSDP on the Solaris platform

  1. Create an empty database using the following command:

    • For UNIX:

      /usr/openv/netbackup/bin/nbkms -createemptydb

    • For Windows:

      <install_path>\&CompanyNameShort;\NetBackup\bin\nbkms.exe -createemptydb

      Enter the following parameters when you receive a prompt:

      • Enter the HMK passphrase

        Enter a password that you want to set as the host master key (HMK) passphrase. Press Enter to use a randomly generated HMK passphrase. The passphrase is not displayed on the screen.

      • Enter HMK ID

        Enter a unique ID to associate with the host master key. This ID helps you to determine an HMK associated with any key store.

      • Enter KPK passphrase

        Enter a password that you want to set as the key protection key (KPK) passphrase. Press Enter to use a randomly generated HMK passphrase. The passphrase is not displayed on the screen.

      • Enter KPK ID

        Enter a unique ID to associate with the key protection key. This ID helps you to determine a KPK associated with any key store.

    After the operation completes successfully, run the following command on the master server to start KMS:

    • For UNIX:

      /usr/openv/netbackup/bin/nbkms

    • For Windows:

      sc start NetBackup Key Management Service

  2. Create a key group and an active key by entering the following commands:

    • For UNIX:

      /usr/openv/netbackup/bin/admincmd/nbkmsutil -createkg -kgname msdp

      /usr/openv/netbackup/bin/admincmd/nbkmsutil -createkey -kgname msdp -keyname name - activate

    • For Windows:

      <install_path>\&CompanyNameShort;\NetBackup\bin\admincmd\nbkmsutil.exe -createkg -kgname msdp

      <install_path>\&CompanyNameShort;\NetBackup\bin\admincmd\nbkmsutil.exe -createkey -kgname msdp -keyname name -activate

    Enter a password that you want set as the key passphrase.

  3. Create a kms.cfg configuration file at the following location on the NetBackup media server where you have configured the MSDP storage:

    • On UNIX:

      /usr/openv/pdde/kms.cfg

    • On Windows:

      <install_path>\&CompanyNameShort;\pdde\kms.cfg

    Add the following content to the kms.cfg file:

    [KMSOptions]
KMSEnable=true
KMSKeyGroupName=YourKMSKeyGroupName
KMSServerName=YourKMSServerName
KMSType=0

    For KMSServerName, enter the hostname of the server where the KMS service runs, mainly the master server hostname.

After completing the steps, you can upgrade MSDP.

Feedback

Was this page helpful?
Previous

About MSDP Encryption using KMS service

Next

Configuring a storage server for a Media Server Deduplication Pool

Feedback

Was this page helpful?