Name
nbkmsutil — run the NetBackup Key Management Service utility
SYNOPSIS
[-createkey] [-createkg] [-deletekey] [-deletekg] [-export] [-gethmkid] [-getkpkid] [-import] [-ksstats] [-listkeys] [-listkgs] [-modifyhmk] [-modifykey] [-modifykg] [-modifykpk] [-quiescedb] [-recoverkey] [-unquiescedb]
-createkey [ -nopphrase ] -kgname key_group_name -keyname key_name [ -activate ] [ -desc description ]
-createkg -kgname key_group_name [ -cipher type ] [ -desc description ]
-deletekey -keyname key_name -kgname key_group_name
-deletekg -kgname key_group_name
-export -path secure_key_container [-key_groups key_group_name_1 ... | -key_file key_file_name]
-gethmkid
-getkpkid
-import -path secure_key_container [-preserve_kgname] [-desc description] [-preview]
-ksstats [-noverbose]
-listkeys -kgname key_group_name [ -keyname key_name | -activekey ] [ -verbose ]
-listkgs [ -kgname key_group_name | -cipher type | -emptykgs | -noactive ] [ -verbose ]
-modifyhmk [ -nopphrase ]
-modifykey -keyname key_name -kgname key_group_name [ -state new_state | -activate ] [ -name new_keyname ] [ -desc new_description ]
-modifykg -kgname key_group_name [ -name new_key_group_name ] [ -desc new_description ]
-modifykpk [ -nopphrase ]
-quiescedb
-recoverkey -keyname key_name -kgnamekey_group_name -tag key_tag [-desc description]
-unquiescedb
On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/admincmd/
On Windows systems, the directory path to this command is install_path\NetBackup\bin\admincmd\
DESCRIPTION
The nbkmsutil command performs the following operations:
-createkey | Create a new key. The default state of the new key is Prelive. |
-createkg | Create a new key group. The default cipher of the new key group is AES_256. |
-deletekey | Delete a key. Only keys in Prelive and Terminated states can be deleted. |
-deletekg | Delete an empty key group. To force the delete of a key group that is not empty, use the -force option. # nbkmsutil -deletekg -kgname key_group_name -force |
|
-export |
Exports keys and keys groups across domains |
-gethmkid | Return the current HMK ID. |
-getkpkid | Returns the current KPK ID. |
|
-import |
Imports keys and keys groups across domains To preview the results of the import option, use -preview. # nbkmsutil -import -path secure_key_container -preview |
-ksstats | Returns the keystore statistics. The statistics consist of the number of key groups, the total number of keys, and the outstanding quiesce calls. |
-listkeys | Get the details of keys. |
-listkgs | Get the details of the key groups. If no option is specified, retrieve the details of all the key groups. |
-modifyhmk | Modify the host master key (HMK). HMK is used to encrypt the keystore. To modify the HMK, provide an optional seed (passphrase) and an HMK ID which can remind the user of the specified passphrase. The passphrase and the HMK ID are both read interactively. |
-modifykey | Modify key attributes. |
-modifykg | Modify key group attributes. |
-modifykpk | Modify the key protection key (KPK). KPK is used to encrypt KMS keys. KPK is per keystore. To modify the KPK, provide an optional seed (passphrase) and a KPK ID which can remind the user of the specified passphrase. The passphrase and the KPK ID are both read interactively. |
-quiescedb | Sends a quiesce request to KMS. If the command succeeds, the current outstanding quiesce count is returned (as multiple backup jobs might quiesce the KMS DB to back it up) |
-recoverkey | Restore could fail if a key used in encrypting the backup data is lost. Such Keys can be recovered (re-created) with the knowledge of the original Key's attributes (tag and passphrase). |
-unquiescedb | Sends an unquiesce request to KMS. If the command succeeds, the current outstanding quiesce count is returned. A count of zero (0) means that the KMS database is completely unquiesced. |
OPTIONS
The nbkmsutil command uses the following options:
-activate | Sets the state of the specified key to active. The default state is prelive. |
-activekey | Retrieves the details of a specific key group's active key. |
-cipher | The type of cipher that the key group supports. All keys that belong to a key group support the same cipher type. Supported cipher types are BLOW, AES_128, AES_192, and AES_256 (default cipher). |
-emptykgs | Retrieves the details of all the key groups with zero keys in it. |
-keyname | key_name specifies the name of a key. This name should be unique within a key group. The key group name and key name uniquely identify a key in the keystore. |
-kgname | key_group_name specifies the name of a key group. Within a keystore, the key group name uniquely identifies the key group. |
-name | Specifies the new name of the key group when used with -modifykg or the new name of the key when used with -modifykey. The new key group name must not conflict with other names in the keystore. |
-noactive | Retrieves the details of all the key groups in which there are no active keys. |
-nopphrase | Disables the utility function that prompts you for a pass phrase. Instead, the utility creates the key. The default condition is the use of the pass phrase to create a key with a seed. A lengthy seed and a strong seed results in a strong key. |
-noverbose | Disables verbosity. The default condition is verbosity, which prints the details in readable format. |
-state | new_state specifies the new state of the Key. Possible states are Prelive, Active, Inactive, Deprecated, and Terminated. Key states can be changed only in the following ways:
|
|
-tag |
key_tag specifies a random unique identifier that is created for the key record that the utility creates. The listkey option can display this tag. If you need to recover (recreate) the key record, you need to use the original tag value, hence the - tag option for these recovery options. |