API tools faq
paste
Advertisement
bewleberkl

NetBackup KMS HowTo

bewleberkl
Jun 20th, 2017
851
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 22.90 KB | None | 0 0
raw download clone embed print report
  1. Provides support for Advanced Disk and Cloud storage providers.
  2.  
  3. KMS works with encryption capable tape drives. A SCSI command enables encryption on the encryption capable tape drive. NetBackup accesses this capability through the volume pool name.
  4.  
  5. Provides support for the T10 / SCSI standard tape drives with embedded (LT04 and equivalent) encryption.
  6. Drive, tape, and NetBackup capabilities must all match for drive encryption to be successful. A number of drives adhere to the standard. The LT04 is a typical type.
  7. Currently only LT04 drives and LT04 media can be encrypted or decrypted. You can still run LT03 media in LT04 drives for reading and writing but you cannot encrypt the data. If you use LT02 media, that data can be read in LT04 drives but they cannot be written in either unencrypted or encrypted format.
  8. You must keep track of these drive issues and media issues as you run setup encryption. Not only do you need the drives that are capable of encryption but the media needs to be grouped and capable of encryption. For later decryption the tape must be placed in a drive that is capable of decryption.
  9. Following is the interoperatability matrix for the tape drives and media:
  10. ¦ LTO4 drives can read LTO2, LT03, and LT04 media
  11. ¦ LTO4 drives can write LTO3 and LT04 media
  12. ¦ LTO4 drives can only encrypt LTO4 media
  13. ¦ LTO4 encrypted and decrypted media only works in LTO4 drives
  14.  
  15. AES_256 is the default. (AES_128 & AES_192 are also supported).
  16.  
  17. KMS can be configured for random generated keys or passphrase generated keys. Passphrase generated keys is recommended. (Using a passphrase has definite benefits. It results in keys with better security strength. And if keys are lost, you can regenerate them by providing the passphrase that was used to create the original key. Failing to enter a passphrase will result in a randomly generated key that cannot be re-produced)
  18.  
  19. The nbkms service is a master-server-based service that provides encryption keys to the media server BPTM processes.
  20.  
  21. nbkmsutil - KMS configuration utility: For security reasons, the KMS configuration utility can only be run from the master server as root or administrator.
  22.  
  23. The "ENCR_" prefix on Volume Pools is essential to tell the "BPTM" process that the tapes is to be encrypted. The Volume Pool name is then provided to "KMS", and "KMS" identifies it as an exact match to a Key Group name to pick the active key to use for backups. This requires that Key Group names also follow standard volume pool naming conventions.
  24.  
  25.  
  26. Process flow:
  27.  
  28. - Backup:
  29. - BPTM receives a request to write to a tape and to use a tape from a volume pool with the ENCR_ name prefix. The ENCR_ prefix is a signal to BPTM that the information to be written to tape is to be encrypted.
  30.  
  31. - BPTM contacts KMS and requests an encryption key from the key group with a name that matches the name of the volume pool. KMS hands back to BPTM an encryption key and a key identifier (known as the encryption key tag).
  32.  
  33. - BPTM places the drive in encryption mode and registers the key tag and identifier tag with the drive. This process is all done with the SCSI security protocol in or out
  34. command that has been added to the SCSI specification.
  35.  
  36. - The backup then proceeds as normal.
  37.  
  38. - When the backup is complete, BPTM unregisters the key and tag with the drive and sets the drive back into regular mode.
  39.  
  40. - BPTM then records the tag in the NetBackup image record catalog.
  41.  
  42. - Restore:
  43. When a tape is read and an area of the tape in encountered where an image is encrypted, BPTM determines: what tag is used and KMS loads that record and key
  44. into BPTM. Then BPTM provides the key to the drive and reading the tape proceeds as normal.
  45.  
  46.  
  47.  
  48.  
  49. Key Records:
  50. - Key records contain many fields but the primary records are the encryption key, the encryption key tag, and the record state. Key records also contain some metadata.
  51. These key records are defined as follows:
  52. ¦ Encryption key: This key is given to the tape drive.
  53. ¦ Encryption key Tag: This tag is the identifier for the encryption key aind is used by NB to identify which Key a backup image was created with (important for restore functionality)
  54. ¦ Record state: Each of the key records has a state. The states are prelive, active, inactive, deprecated, and terminated.
  55. ¦ Metadata: Metadata includes logical name, creation date, modification date, and description.
  56. Note: all key records must belong to a key group. Read on...
  57.  
  58.  
  59. Key Groups:
  60. Key groups are a logical name and grouping of key records. All key records that are created must belong to a group. A key group can only have one active state
  61. key record at any time.
  62. - NetBackup 7.5 supports 100 key groups.
  63. - NetBackup 7.0 supported 20 key groups and NetBackup 6.5.2 supported two key groups.
  64. - Only 10 encryption keys are allowed per key group.
  65.  
  66.  
  67.  
  68.  
  69.  
  70.  
  71. DR:
  72. To insure the KMS database is recoverable in the event of a loss, copies of the KMS database should: be kept at a designated DR site, and Information Security needs to store a copy of the pass-phrases in a secondary secured location.
  73.  
  74. In the event of a disaster, the KMS database must be able to be re-created or restored independently of the encrypted tapes, or any other NetBackup involved restores. In other words, do not rely on backups of the KMS database done to encrypted tapes, or you will not be able to restore them without having them in the first place.
  75.  
  76. NOTE: The KMS database is NOT backed up as part of the catalog backup, and must be backed up separately.
  77.  
  78. Any time the KMS database is updated, it should be backed up again, and the list of passphrases and related information updated to reflect the new phrase, and to insure the removal of any reference to any keys that have been deleted.
  79.  
  80. Saving Passphrases:
  81. Keeping a list of all the passphrases alone isn't enough to insure the KMS database can be re-build properly from passphrases.
  82.  
  83. It is also important to keep a list all of the keys that belong to a Key Group name, and their associated Key Tags. A list can be generated by the following command:
  84.  
  85. nbkmsutil -listkeys -kgname <key_group_name>
  86.  
  87. Note: Veritas recommends that you keep a record of the output of the nbkmsutil -listkeys command. The key tag that is listed in the output is necessary if you need to recover keys.
  88.  
  89. When Information Security stores the passphrases, they will also need to keep a record of each associated Key Tag and Key Name related to the respective passphrase.
  90.  
  91. Backing up the KMS database is a simple matter of quiescing the database and then coping the files to a DR site or other secure location.
  92.  
  93. To quiesce the KMS DB, run:
  94.  
  95. nbkmsutil -quiescedb
  96.  
  97. This command returns with a quiesce successful statement and an indication of the number of outstanding calls.
  98.  
  99. After you have copied the files, you can unquiesce the KMS database files by using this command:
  100.  
  101. nbkmsutil -unquiescedb
  102.  
  103. A quiesce sets the KMS DB to read-only administrator mode. Quiescing is required to make a consistent backup copy of the KMS DB files.
  104.  
  105. Key file or key database
  106. Contains the data encryption keys. The key file is located at
  107. /usr/openv/kms/db/KMS_DATA.dat
  108.  
  109.  
  110. Host master key contains the encryption key that encrypts and protects the KMS_DATA.dat key file using AES 256. Located at:
  111. /usr/openv/kms/key/KMS_HMKF.dat
  112.  
  113. Key protection key is the encryption key that encrypts and protects individual records in the KMS_DATA.dat key file using AES 256. The key protection key is located at:
  114. /usr/openv/kms/key/KMS_KPKF.dat
  115.  
  116. Currently the same key protection key is used to encrypt all of the records.
  117.  
  118. Options:
  119. - Put the KMS database file on one tape and the HMK files and KPK files on another tape. To gain access to encrypted tapes, someone would then need to obtain both tapes.
  120. -AND/OR-
  121. - Another alternative is to back up the KMS data files outside of the normal NetBackup process. You can copy these files to a separate CD, DVD, or USB drive.
  122. -AND/OR-
  123. - You can also rely on passphrase generated encryption keys to manually rebuild KMS. All of the keys can be generated by passphrases. If you have recorded all of the encryption key passphrases you can manually recreate KMS from information you have written down. If you only have a few encryption keys you generate this process could be short.
  124.  
  125.  
  126.  
  127. Recovery Procedures:
  128. NOTE: The KMS data files are not included in the NetBackup catalog backups. Simply restoring the catalog will NOT restore your keys
  129.  
  130.  
  131. To rebuild the database from passphrases, simply follow the instructions listed above, for "Installing the KMS database" and "Create the "ENCR_Offsite" Key Group". Once these are created, you can use the "-recoverkey" option providing the appropriate Key Name and Key Tag (can also be used to migrate a key to a different environment):
  132.  
  133. nbkmsutil -recoverkey -kgname <key_group_name> -keyname <key_name> -tag <Key Tag>
  134.  
  135. This also requires entering the same exact pass-phrase as the original key when prompted.
  136.  
  137. Example of recovering KMS by regenerating the data encryption key:
  138. 1. Create an empty KMS database by running the following command
  139. nbkms -createemptydb
  140. You do not have to use the same host master key and key protection key. You can choose new keys.
  141.  
  142. 2. Run the nbkmsutil -recoverkey command and specify the key group, key name, and tag.
  143. nbkmsutil -recoverkey -kgname ENCR_pool1 -keyname Q1_2008_key -tag d5a2a3df1a32eb61aff9e269ec777b5b9092839c6a75fa17bc2565f725aafe90
  144. Note: If you did not keep an electronic copy of the output of the nbkmsutil -listkey command when you created the key, you must enter all 64 characters manually.
  145.  
  146. 3. Enter the pass phrase at the prompt. It must be an exact match with the original pass phrase you previously provided.
  147. Note: If the tag you enter already exists in the KMS database, you cannot recreate the key.
  148.  
  149. 4. If the recovered key is the key that you want to use for backups, run the following command to make the key active:
  150. nbkmsutil -modifykey -kgname ENCR_pool1 -keyname Q1_2008_key -state active
  151.  
  152. The -recoverkey option places the key record in the inactive state, and it is brought into the KMS database in the inactive state.
  153.  
  154. 5. If this is a key record that is to be deprecated, run the following command:
  155. nbkmsutil -modifykey -kgname ENCR_pool1 -keyname Q1_2008_key -state deprecated
  156.  
  157. To restore the KMS files, simply copy them to the appropriate locations
  158.  
  159.  
  160.  
  161.  
  162.  
  163. Considerations:
  164.  
  165. Only 10 keys are allowed per Key Group (and subsequently per Volume Pool).
  166. - Adding a new key too often may cause old keys to be retired too quickly, such that old data on older tapes will not be able to be recovered, despite not having reached their expiration date.
  167. - Adding new keys too infrequently poses a potential security risk, and may create inconsistencies with the expiration of data on older tapes that are to be retired.
  168. - The KMS data files are NOT included in the NetBackup Catalog backups, and should be backed up separately with special consideration.
  169.  
  170.  
  171. Key Rotation and Usage Policy:
  172. - Example:
  173. - If your maximum retention is 10 years, and each group/pool can have up to 10 keys, the key rotations should occur yearly, with any keys older then 10 years being deleted from the database to make room for newer keys.
  174. - In environments were the retention is shorter, more frequent rotations can occur.
  175. - A key must be put into a "Deprecated" or "Terminated" state no later then 12 months after the maximum retention for data/tapes in the environment; based on when the key was last in an "active" state.
  176. - A key should only be deleted to make room for a new key to be created within the group, or to insure retired media can no longer be read.
  177. - "Offsite Archive" tapes that are kept "indefinitely" should be created with a key or set of keys that are to NEVER be deleted, nor put into a "Deprecated" or "Terminated" state.
  178. - Such keys should still be rotated on a yearly basis, but after a maximum of 10 years, the keys will have to be re-used, as they cannot be deleted.
  179. - In this case the Key's description should contain date ranges that depict the time frames during which the key was used.
  180. - No other keys should be re-instated as "Active" after having been removed from an "Active" state.
  181. - Tapes retained on-site, in a secure location, do not need to be encrypted.
  182. - "Archive" tapes that are stored on-site should NEVER be encrypted to insure recoverability.
  183. - On-site tapes should be stored in a secured and climate controlled location.
  184. - Tapes sent off-site, or that are handled by a third party at any time, MUST be encrypted.
  185. - Catalog Backup tapes are an exception and should not be encrypted to insure the catalog can be easily and quickly restored.
  186. - Since the Catalog is merely a listing of what was backed up it does not contain any highly sensitive data within it.
  187.  
  188.  
  189.  
  190. Logging:
  191. - The NetBackup master server's nbkms service uses the new unified logging and has been assigned OID 286.
  192. - The nbkmsutil command uses traditional logging and its logs can be found in the file /usr/openv/netbackup/logs/admin/*.log
  193.  
  194.  
  195.  
  196.  
  197. Configuration:
  198.  
  199. The KMS service is called nbkms. The service does not run until the data file has been set up, which minimizes the
  200. effect on environments not using KMS.
  201.  
  202. To install KMS
  203. 1. Run the nbkms -createemptydb command.
  204. 2. Enter a passphrase for the host master key (HMK). You can also press Enter to create a randomly generated key.
  205. 3. Enter an ID for the HMK. This ID can be anything descriptive that you want to use to identify the HMK.
  206. 4. Enter a passphrase for the key protection key (KPK).
  207. 5. Enter an ID for the KPK. The ID can be anything descriptive that you want to use to identify the KPK.
  208.  
  209. The KMS service (supposedly) starts when after you enter the ID and press Enter.
  210.  
  211. 6. Start the service by running the following command:
  212. /usr/openv/netbackup/bin/nbkms &
  213. 7. Use the grep command to ensure that the service has started, as follows:
  214. ps -ef | grep nbkms | grep -v grep
  215.  
  216. 8. Create the key group. The key group name must be an identical match to the volume pool name. All key group names must have a prefix ENCR_.
  217. Note: When using key management with Cloud storage, the ENCR_ prefix is not required for the key group name.
  218.  
  219. To create a (non-Cloud storage) key group use the following command syntax.
  220. nbkmsutil -creatkg -kgname ENCR_volumepoolname
  221. - For tape based encryption, the ENCR_ prefix is essential. When BPTM receives a volume pool request that includes the ENCR_ prefix, it provides that volume pool name to KMS. KMS
  222. identifies it as an exact match of the volume pool and then picks the active key record for backups out of that group.
  223.  
  224. To create a Cloud storage key group use the following command syntax.
  225. nbkmsutil -creatkg -kgname cloud_provider_URL:volume_name
  226.  
  227. 9. Create a key record by using the -createkey option.
  228. nbkmsutil -createkey -kgname ENCR_volumepool -keyname keyname -activate -desc "message"
  229. - The key name and message are optional; they can help you identify this key when you display the key.
  230. - The -activate option skips the prelive state and creates this key as active.
  231.  
  232. 10. Provide the passphrase again when the script prompts you. In the following example the key group is called ENCR_pool1 and the key name is Q1_2008_key. The description explains that this key is for the months January, February, and March.
  233. nbkmsutil -createkey -kgname ENCR_pool1 -keyname Q1_2008_key -activate -desc "key for Jan, Feb, & Mar"
  234.  
  235. 11. You can create another key record using the same command; a different key name and description help you distinguish they key records:
  236. nbkmsutil -createkey -kgname ENCR_pool1 -keyname Q2_2008_key -activate -desc "key for Apr, May, & Jun"
  237. Note: If you create more than one key record by using the command nbkmsutil -kgname name -activate, only the last key remains active.
  238.  
  239. 12. To list all of the keys that belong to a key group name, use the following command:
  240. nbkmsutil -listkeys -kgname keyname
  241. Note: Veritas recommends that you keep a record of the output of the nbkmsutil -listkeys command. The key tag that is listed in the output is necessary if you need to recover keys.
  242.  
  243.  
  244.  
  245.  
  246.  
  247.  
  248.  
  249.  
  250. Example:
  251.  
  252. [root@rhel7nbmaster ~]# cd /usr/openv/netbackup/bin
  253.  
  254. [root@rhel7nbmaster bin]# ./nbkms -createemptydb
  255. Enter the Host Master Key (HMK) passphrase (or hit ENTER to use a randomly
  256. generated HMK). The passphrase will not be displayed on the screen.
  257. Enter passphrase :
  258. Re-enter passphrase :
  259.  
  260. An ID will be associated with the Host Master Key (HMK) just created. The ID
  261. will assist you in determining the HMK associated with any key store.
  262. Enter HMK ID : rhel7nbmasterhmk
  263.  
  264. Enter the Key Protection Key (KPK) passphrase (or hit ENTER to use a randomly
  265. generated KPK). The passphrase will not be displayed on the screen.
  266. Enter passphrase :
  267. Re-enter passphrase :
  268.  
  269. An ID will be associated with the Key Protection Key (KPK) just created. The
  270. ID will assist you in determining the KPK associated with any key store.
  271. Enter KPK ID : rhel7nbmasterkpk
  272.  
  273. Operation successfully completed
  274. [root@rhel7nbmaster bin]#
  275.  
  276. [root@rhel7nbmaster bin]# ps -ef | grep nbkms | grep -v grep
  277.  
  278. [root@rhel7nbmaster bin]# /usr/openv/netbackup/bin/nbkms &
  279. [2] 9776
  280.  
  281.  
  282. [root@rhel7nbmaster bin]# ps -ef | grep nbkms | grep -v grep
  283. root 9791 1 0 12:16 ? 00:00:00 /usr/openv/netbackup/bin/nbkms
  284.  
  285.  
  286.  
  287.  
  288. [root@rhel7nbmaster bin]# nbkmsutil -createkey -kgname ENCR_Offsite -keyname Q3_2014_Q3_2015key -activate -desc "Key for Offsite tapes from Q3 2014 through Q3 2015"
  289.  
  290. Enter a passphrase:
  291. Re-enter the passphrase:
  292.  
  293. New Key creation is successful
  294.  
  295. [root@rhel7nbmaster bin]#
  296.  
  297.  
  298.  
  299. [root@rhel7nbmaster bin]# nbkmsutil -listkeys -kgname ENCR_Offsite
  300.  
  301. Key Group Name : ENCR_Offsite
  302. Supported Cipher : AES_256
  303. Number of Keys : 1
  304. Has Active Key : Yes
  305. Creation Time : Sun Dec 14 12:36:19 2014
  306. Last Modification Time: Sun Dec 14 12:36:19 2014
  307. Description : -
  308.  
  309. Key Tag : 064ead104a63447dfb2f481e5ba9b2549a496f91b3e3344391972573d28b85ef
  310. Key Name : Q3_2014_Q3_2015key
  311. Current State : ACTIVE
  312. Creation Time : Sun Dec 14 12:48:59 2014
  313. Last Modification Time: Sun Dec 14 12:48:59 2014
  314. Description : Key for Offsite tapes from Q3 2014 through Q3 2015
  315.  
  316.  
  317. Number of Keys: 1
  318.  
  319. [root@rhel7nbmaster bin]#
  320.  
  321.  
  322.  
  323. Advanced Disk:
  324. - To use encryption, you must use the AdvancedDisk_crypt type when you configure the storage servers and the disk pools. You also must use the nbdevconfig command to configure the storage servers and the disk pools. For the AdvancedDisk_crypt type of storage server, you must specify the -st option with a value of 5.
  325.  
  326. /usr/openv/netbackup/bin/admincmd/nbdevconfig -creatests -storage_server hostname -stype server_type -st 5 -media_server hostname [-setattribute attribute]
  327.  
  328. Command-line configuration (the only configuration method for Advanced Disk) requires 3 major steps:
  329. 1) if the KMS database has not been configured on the NB master yet, that is step 1 ('nbkms -createemptydb' using passphrase method, start the NetBackup Key Management Service on the master server).
  330. 2) Create key groups for the volumes in the disk pool ('nbkmsutil -createkg -kgname storage_server_name:volume_name' where volume_name is the the last directory name. For example, if the the pathname is /mnt/disk/backups, the volume_name must be backups, as follows:
  331. nbkmsutil -createkg -kgname UX_Host.Veritass.org:backups
  332. - On the storage that is exposed as a drive letter (such as E:\), nothing appears after the last slash. Therefore, the volume_name is not required, as follows:
  333. nbkmsutil -createkg -kgname Win_Host.Veritass.org:)
  334. 3) Create a key record for each group ('nbkmsutil -createkey -keyname keyname -kgname key_group_name -activate').
  335. Note: save a record of the key names: /usr/openv/netbackup/bin/admincmd/nbkmsutil -listkgs
  336. Note2: For each key group, write all of the keys that belong to the group to a file. Run the command on the master server. The following is the command syntax:
  337. /usr/openv/netbackup/bin/admincmd/nbkmsutil -listkeys -kgname
  338.  
  339.  
  340. [root@rhel7nbmaster bptm]# nbdevconfig -creatests -storage_server rhel7nbmaster -stype AdvancedDisk_crypt -st 5 -media_server rhel7nbmaster
  341. Storage server rhel7nbmaster has been successfully created
  342.  
  343.  
  344. [root@rhel7nbmaster bptm]# nbdevquery -liststs -stype AdvancedDisk_crypt -U
  345. Storage Server : rhel7nbmaster
  346. Storage Server Type : AdvancedDisk_crypt
  347. Storage Type : Formatted Disk, Direct Attached
  348. State : UP
  349. Flag : OpenStorage
  350. Flag : AdminUp
  351. Flag : InternalUp
  352. Flag : LifeCycle
  353. Flag : CapacityMgmt
  354. Flag : FragmentImages
  355. Flag : Cpr
  356. Flag : FT-Transfer
  357. Flag : OptimizedImage
  358. Flag : MetaData
  359.  
  360.  
  361.  
  362. Cloud storage providers:
  363. - Veritas recommends that you use the Cloud Storage Server Configuration Wizard and the Disk Pool Configuration Wizard. The wizards include the steps that configure key management and encryption.
  364. - Alternatively, the admin can use commandline (not recommended). Command-line configuration requires 3 major steps:
  365. 1) if the KMS database has not been configured on the NB master yet, that is step 1 ('nbkms -createemptydb' using passphrase method, start the NetBackup Key Management Service on the master server).
  366. 2) Create key groups for the volumes in the disk pool ('nbkmsutil -createkg -kgname storage_server_name:volume_name')
  367. 3) Create a key record for each group ('nbkmsutil -createkey -keyname keyname -kgname key_group_name -activate').
  368. Note: save a record of the key names: /usr/openv/netbackup/bin/admincmd/nbkmsutil -listkgs
  369. Note2: For each key group, write all of the keys that belong to the group to a file. Run the command on the master server. The following is the command syntax:
  370. /usr/openv/netbackup/bin/admincmd/nbkmsutil -listkeys -kgname
  371.  
  372.  
  373.  
  374.  
  375.  
  376.  
  377.  
  378.  
  379. bpimagelist, tape copy is copy # 2 in this example:
  380.  
  381.  
  382. Copy number: 2
  383. Fragment: 1
  384. Kilobytes: 32
  385. Remainder: 0
  386. Media Type: Media Manager (2)
  387. Density: hcart (6)
  388. File Num: 16
  389. ID: 3005TA
  390. Host: rhel7nbmaster
  391. Block Size: 65536
  392. Offset: 22775
  393. Media Date: Sun 14 Dec 2014 03:47:59 PM ES (1418590079)
  394. Dev Written On: 0
  395. Flags: 0x40 (Tape Encrypted)
  396. Media Descriptor: ?
  397. Expiration Time: Sat 19 Sep 2015 04:41:25 PM ED (1442695285)
  398. MPX: 0
  399. retention_lvl: 9 months (7)
  400. Try to Keep Time: Sat 19 Sep 2015 04:41:25 PM ED (1442695285)
  401. Copy Creation Time: Sun 14 Dec 2014 03:48:48 PM ES (1418590128)
  402. Data Format: Tar
  403. checkpoint: 0
  404. resume num: 1
  405. Key tag: 064ead104a63447dfb2f481e5ba9b2549a496f91b3e3344391972573d28b85ef
  406. STL tag: *NULL*
  407. Copy on hold: 0
  408.  
  409.  
  410. ==================================================================================
  411.  
  412. Lab passphrase for both HMK and KPK: youcancountmeout
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!