Command line interface (CLI)
| From the CLI, you can operate the KMS feature from the provided command line using the nbkmsutil command. You can use the CLI to: create a new key group, create a new key, modify key group attributes, modify key attributes, and get details of key groups. You can also get details of keys, delete a key group, delete a key, recover a key, modify the host master key, and get host master key ID. Further you can modify key protection key, get key protection key ID, get keystore statistics, quiesce the KMS database, unquiesce the KMS database.
|
Host Master Key (HMK)
| The host master key contains the encryption key that encrypts and protects the KMS_DATA key file using AES 256. The host master key is located at: On UNIX: /usr/openv/kms/key/KMS_HMKF.dat
On Windows: NetBackup_install_path\kms\key\KMS_HMKF.dat
|
Key
| A key is an encryption key that is used to encrypt and decrypt data.
|
Key group record (KGR)
| A key group record contains the details of a key group.
|
Key Management Service (KMS)
| The key Management Service is a master server-based symmetric key Management Service that manages symmetric cryptography keys. Keys are managed for the tape drives that conform to the T10 standard (LTO4) and AdvancedDisk_Crypt , PureDisk, and Cloud Encrypted Storage Server. The KMS is located at: On Unix: /usr/openv/netbackup/bin/nbkms
On Windows: NetBackup_install_path\NetBackup\bin\nbkms.exe
|
Key record (KR)
| A key record contains the details of an encryption key.
|
KMS database
| The KMS database contains the data encryption keys.
|
Key Protection Key (KPK)
| A key protection key is an encryption key that encrypts and protects individual records in the KMS_DATA key file using AES 256. The key protection key is at: On Unix: /usr/openv/kms/key/KMS_KPKF.dat
On Windows: NetBackup_install_path\kms\key\KMS_KPKF.dat Currently the same key protection key is used to encrypt all of the records.
|
Key file (key database)
| A key file or key database contains the data encryption keys. The key file: On Unix: /usr/openv/kms/db/KMS_DATA.dat
On Windows: NetBackup_install_path\kms\db\KMS_DATA.dat
|
Key group
| The key group is a logical name and grouping of key records. A key group can only have one active state key record at any time. One hundred key groups are supported.
|
Key record
| Key records include the encryption key, encryption key tag, and the record state. Other useful metadata such as logical name, creation date, modification date, and description are also included.
|
Key record states
| Key record states are as follows: Prelive, which means that the key record has been created, but has never been used. Active, which means that the key record can be used for encryption and decryption in both backup and restore. Inactive, which means that the key record cannot be used for encryption, but can be used for decryption only during restore. Deprecated, which means that the key record cannot be used for encryption or decryption. Terminated, which means that the key record is not available for use but it can be deleted. Keystore, which means that the keystore is the file that keeps the data encryption keys. Passphrase, which means that the passphrase is a user-specified random string. Seed to create encryption keys. You have a choice of creating the HMK, the KPK, and the encryption key with or without a Passphrase.
Keep track of all pass phrases by recording them and storing them in a safe place for future use. Using a passphrase has definite benefits. It results in keys with better security strength. And if keys are lost, you can regenerate them by providing the passphrase along with corresponding salt that was used to create the original key.
|
Quiesce
| A quiesce sets the KMS DB to read-only administrator mode. Quiescing is required to make a backup of consistent copy of the KMS DB files.
|
Tag
| A tag is a unique identifier (UUID) used to identify an individual key or key group in a keystore.
|