Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. Veritas NetBackup™ Security and Encryption Guide
  3. Section III. Encryption of data at rest
  4. NetBackup key management service
  5. About the Key Management Service (KMS)
  6. KMS considerations
Veritas NetBackup™ Security and Encryption Guide

KMS considerations

The following table describes the considerations that relate to the functionality and use of KMS.

Table: Considerations that relate to the functionality and use of KMS

Consideration

Description

New NBKMS service

The nbkms service is a master-server-based service that provides encryption keys to the media server BPTM processes.

New nbkmsutil KMS configuration utility

For security reasons, the KMS configuration utility can only be run from the master server as root or administrator.

NetBackup wide changes

Changes were necessary throughout NetBackup for the following:

  • To allow for the ENCR_ prefix on the volume pool names.

  • To communicate with the key Management Service.

  • To provide support for the T10 / SCSI standard tape drives with embedded encryption.

  • NetBackup GUI and CLI changes to report the encryption key tag addition to the NetBackup image information

    The bpimmedia and bpimagelist were modified.

  • An emphasis on recoverability and ease of use for this NetBackup release

    The recommended option is that all encryption keys are generated with pass phrases. You type in a pass phrase and the key management system creates a reproducible encryption key from that pass phrase.

KMS installation and deployment decisions

Following are decisions you must make for KMS deployment:

  • Whether to choose KMS random generated keys or pass phrase generated keys

  • Whether to include NBAC deployment

KMS security

No burden is placed on existing NetBackup services with additional security concerns.

Cipher types

The following cipher types are supported in KMS:

  • AES_128

  • AES_192

  • AES_256 (default cipher)

KMS recoverability

You can use KMS in such a way where all of the encryption keys are generated from pass phrases. You can record these pass phrases and then use them at a later time to recreate the entire KMS for NetBackup.

A randomly-generated key cannot be recovered if it is lost and therefore is not recommended.

KMS files

KMS files associated with it where information on the keys is kept, as follows:

  • Key file or key database

    Contains the data encryption keys. The key file is located at:

    On UNIX: /usr/openv/kms/db/KMS_DATA.dat

    On Windows: NetBackup_install_path\kms\db\KMS_DATA.dat

  • Host master key

    Contains the encryption key that encrypts and protects the KMS_DATA key file using AES 256. The host master key is located at:

    On UNIX: /usr/openv/kms/key/KMS_HMKF.dat

    On Windows: NetBackup_install_path\kms\key\KMS_HMKF.dat

  • Key protection key

    Encryption key that encrypts and protects individual records in the KMS_DATA key file using AES 256. The key protection key is located at:

    On Unix: /usr/openv/kms/key/KMS_KPKF.dat

    On Windows: NetBackup_install_path\kms\key\KMS_KPKF.dat

    Currently the same key protection key is used to encrypt all of the records.

    • Back up KMS files

      If you want to back up the KMS files, the best practices should be followed. Put the KMS database file on one tape and the HMK files and KPK files on another tape. To gain access to encrypted tapes, someone would then need to obtain both tapes.

      Another alternative is to back up the KMS data files outside of the normal NetBackup process. You can copy these files to a separate CD, DVD, or USB drive.

      Note:

      The KMS data files are not included in the NetBackup catalog backups.

      You can also rely on pass phrase generated encryption keys to manually rebuild KMS. All of the keys can be generated by passphrases and their corresponding salts. If you have recorded all of the encryption key passphrases and their corresponding salts you can manually recreate KMS from information you have written down. If you only have a few encryption keys you generate this process could be short.

Key records

Key records contain many fields but the primary records are the encryption key, the encryption key tag, and the record state. Key records also contain some metadata.

These key records are defined as follows:

  • Encryption key

    This key is given to the tape drive.

  • Encryption key Tag

    This tag is the identifier for the encryption key.

  • Record state

    Each of the key records has a state. The states are prelive, active, inactive, deprecated, and terminated.

  • Metadata

    Metadata includes logical name, creation date, modification date, and description.

Key groups

Key groups are a logical name and grouping of key records. All key records that are created must belong to a group. A key group can only have one active state key record at any time. NetBackup supports 100 key groups. Only 30 encryption keys are allowed per key group.

Tape drives and media capabilities

Drive, tape, and NetBackup capabilities must all match for drive encryption to be successful. A number of drives adhere to the T10 standard. Some well-known tape drives we support (that adhere to the T10 standard) are LT0-4, LT0-5, LT0-6, IBM TS1120/30/40, Oracle T10000B/C, and so on.

You can still run earlier LTO versions for reading and writing but you cannot encrypt the data. For example, if you use LT02 media, that data can be read in LT04 drives but they cannot be written in either unencrypted or encrypted format.

You must keep track of these drive issues and media issues as you run setup encryption. Not only do you need the drives that are capable of encryption but the media needs to be grouped and capable of encryption. For later decryption the tape must be placed in a drive that is capable of decryption.

Refer to Table: Media support for encryption for brief information about interoperability between media and tape drives. It is recommended that you refer to vendor-specific user guides for detailed information.

Refer to the article HOWTO56305 for more details.

KMS with NBAC

Information on using KMS with NBAC is included where applicable in various sections of this document. For further information, refer to the NetBackup NBAC documentation.

KMS with HA clustering

Information on using KMS with HA clustering is included where applicable in various sections of this document. For further information, refer to the NetBackup HA documentation

KMS logging

The service uses the new unified logging and has been assigned OID 286. The nbkmsutil command uses traditional logging and its logs can be found at:

On Unix: /usr/openv/netbackup/logs/admin/*.log

On Windows: NetBackup_install_path\NetBackup\logs\admin\*.log

KMS with Cloud

Information on using KMS with Cloud providers is included where applicable in various sections of this document. For further information, refer to the NetBackup Cloud Administrator's Guide.

KMS with AdvancedDisk

Information on using KMS with AdvancedDisk storage is included where applicable in various sections of this document. For further information, refer to the NetBackup AdvancedDisk Storage Solutions Guide.

NBAC and KMS permissions

Typically when using NBAC and the Setupmaster command is run, the NetBackup related group permissions (for example, NBU_Admin and KMS_Admin) are created. The default root and administrator users are also added to those groups. In some cases the root and administrator users are not added to the KMS group when NetBackup is upgraded. The solution is to grant the root and administrator users NBU_Admin and KMS_Admin permissions manually.

Table: Media support for encryption

Media

LTO4 tape drives

LTO5 tape drives

LTO6 tape drives

LTO-2 media

Read only no encryption support

Not supported

Not supported

LTO-3 media

Read and Write no encryption support

Read only no encryption support

Not supported

LTO-4 media

Read and Write encryption enabled

Read and Write encryption enabled

read-only encryption enabled

LTO-5 media

Not supported

Read and Write encryption enabled

Read and Write encryption enabled

LTO-6 media

Not supported

Not supported

Read and Write encryption enabled

Feedback

Was this page helpful?
Previous

About the Key Management Service (KMS)

Next

KMS principles of operation

Feedback

Was this page helpful?