About MSDP Encryption using NetBackup KMS service
NetBackup incorporates Key Management Server (KMS) with Media Server Deduplication Pool.
MSDP encryption carries out segment-level encryption and assigns a unique encryption key for every data segment. A customer key is retrieved from NetBackup KMS to encrypt the segment key.
Key creation and activation actions must be done manually (or using scripts) by the user.
You can configure the KMS service from the NetBackup Administration Console or the NetBackup command line during storage server configuration.
Note:
You cannot disable the MSDP KMS service once you enable it.
If the KMS service is not available for MSDP or the key in the KMS service that is used by MSDP is not available, then MSDP waits in an infinite loop. When MSDP goes in an infinite loop, few commands that you run might not respond.
After you configure KMS encryption or once the MSDP processes restart, check the KMS encryption status after the first backup finishes.
The keys in the key dictionary must not be deleted, deprecated, or terminated.
You can use the following commands to get the status of the KMS mode:
For UNIX:
/usr/openv/pdde/pdcr/bin/crcontrol --getmode
For MSDP cloud, run the following keydictutil command to check if the LSU is in KMS mode:
/usr/openv/pdde/pdcr/bin/keydictutil --list
For Windows:
<install_path>\Veritas\pdde\crcontrol.exe --getmode
Note:
If you use the nbdevconfig command to add a new encrypted cloud Logical Storage Unit (LSU) and an encrypted LSU exists in this MSDP, the keygroupname must be the same as the keygroupname in the previous encrypted LSU.
For enabling KMS, refer to the following topics: