Backup Central

Hello,

I am working on setting up KMS. If you are using KMS in your environment, do you rotate keys with your data sets? (Monthly, Yearly???) I have read that it is a “Best Practice” to rotate your keys as the data encrypted with that key expires. Are people really doing this with KMS? It is a tradeoff between security and restore complexity. What are Netbackup Admins doing in the “Real World”?

Thanks

Dwayne Adams

The limitation for the number of 'active' keytags in the keygroup dictates that you don't rotate they keys too often. It is pretty easy to cycle the keys out of the keygroup and recover them back in if you need, so don't let that stifle your desired rotation config. Just make sure you have a bullet proof way of making secure redundant hard copies of the keys, and test the full lifecycle including restore from recovered key and have its comfortable for your backup admins.


On 3/8/2010 6:00 PM, Adams, Dwayne wrote: <![endif]--> <![endif]-->
Hello,

I am working on setting up KMS. If you are using KMS in your environment, do you rotate keys with your data sets? (Monthly, Yearly???) I have read that it is a “Best Practice” to rotate your keys as the data encrypted with that key expires. Are people really doing this with KMS? It is a tradeoff between security and restore complexity. What are Netbackup Admins doing in the “Real World”?

Thanks

Dwayne Adams


_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu ([email]Veritas-bu < at > mailman.eng.auburn.edu[/email])
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

I agree with David. I just started with KMS and the only change I have made so far is to depreciated the testing key I was using and put in my first production key. And I only did this after I did all the testing. Expire tape, import tape. Expire tape, remove key, failed import. Recover key, good import. Remove database, recover database. Remove database, rebuild/recover database. Making sure pass phrase were secure and making sure both my prod site and DR site could read each other’s tapes.

I am sure we will be changing keys, where I need to make sure I know the start and retire date of a key/passphrase in case I come across an old tape.

From: veritas-bu-bounces < at > mailman.eng.auburn.edu [mailto:veritas-bu-bounces < at > mailman.eng.auburn.edu] On Behalf Of David Stanaway
Sent: Monday, March 08, 2010 9:36 PM
To: veritas-bu < at > mailman.eng.auburn.edu
Subject: Re: [Veritas-bu] KMS Key Rotation



The limitation for the number of 'active' keytags in the keygroup dictates that you don't rotate they keys too often. It is pretty easy to cycle the keys out of the keygroup and recover them back in if you need, so don't let that stifle your desired rotation config. Just make sure you have a bullet proof way of making secure redundant hard copies of the keys, and test the full lifecycle including restore from recovered key and have its comfortable for your backup admins.


On 3/8/2010 6:00 PM, Adams, Dwayne wrote:
Hello,

I am working on setting up KMS. If you are using KMS in your environment, do you rotate keys with your data sets? (Monthly, Yearly???) I have read that it is a “Best Practice” to rotate your keys as the data encrypted with that key expires. Are people really doing this with KMS? It is a tradeoff between security and restore complexity. What are Netbackup Admins doing in the “Real World”?

Thanks

Dwayne Adams   _______________________________________________Veritas-bu maillist  -  Veritas-bu < at > mailman.eng.auburn.eduhttp://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu 

Dear All,

Once you have setup the KMS and assuming you want to restore them. What is
the necessary info required to restore.

Pool Name ??
Key Name = ??
Key Tag ??
etc

Phase-1 and Phase-2 don't show this info.

From where we will get this info for the restore.

With Warm Regards
=-=-=-=-=-=-=-=-=-=-=-=-=-
Harpreet Singh Chana

Phone : (O) 6895 - 4326
Fax : (O) 6895 - 4991
=-=-=-=-=-=-=-=-=-=-=-=-=-


Notice
The information in this message is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
message by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of the message, or
any action taken by you in reliance on it, is prohibited and may be
unlawful. If you have received this message in error, please delete it
and contact the sender immediately. Thank you.





<judy_hinchcliffe
< at > administaff.com>
Sent by: To
veritas-bu-bounce <david < at > stanaway.net>,
s < at > mailman.eng.aub <veritas-bu < at > mailman.eng.auburn.edu>
urn.edu cc

Subject
03/09/2010 11:24 Re: [Veritas-bu] KMS Key Rotation
PM









I agree with David. I just started with KMS and the only change I have
made so far is to depreciated the testing key I was using and put in my
first production key. And I only did this after I did all the testing.
Expire tape, import tape. Expire tape, remove key, failed import. Recover
key, good import. Remove database, recover database. Remove database,
rebuild/recover database. Making sure pass phrase were secure and making
sure both my prod site and DR site could read each other’s tapes.

I am sure we will be changing keys, where I need to make sure I know the
start and retire date of a key/passphrase in case I come across an old
tape.

From: veritas-bu-bounces < at > mailman.eng.auburn.edu
[mailto:veritas-bu-bounces < at > mailman.eng.auburn.edu] On Behalf Of David
Stanaway
Sent: Monday, March 08, 2010 9:36 PM
To: veritas-bu < at > mailman.eng.auburn.edu
Subject: Re: [Veritas-bu] KMS Key Rotation

The limitation for the number of 'active' keytags in the keygroup dictates
that you don't rotate they keys too often. It is pretty easy to cycle the
keys out of the keygroup and recover them back in if you need, so don't let
that stifle your desired rotation config. Just make sure you have a bullet
proof way of making secure redundant hard copies of the keys, and test the
full lifecycle including restore from recovered key and have its
comfortable for your backup admins.


On 3/8/2010 6:00 PM, Adams, Dwayne wrote:
Hello,

I am working on setting up KMS. If you are using KMS in your environment,
do you rotate keys with your data sets? (Monthly, Yearly???) I have read
that it is a “Best Practice� to rotate your keys as the data encrypted with
that key expires. Are people really doing this with KMS? It is a tradeoff
between security and restore complexity. What are Netbackup Admins doing
in the “Real World�?

Thanks

Dwayne Adams


_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

ForwardSourceID:NT00143D92
_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

Really really read the chapter on kms

You have to save protect your passphrases.

You should run the command to list your keys (which shows keytags) and save that with your passphrases'.
If you have all that you should be able to recreate your keys. (keep in a secure place)

The kms chapter says over and over and over again, to verify you have all the info stored so you can recreate it.

You can also make a backup of your kms files to do a restore.
You can just backup the file that has the keys in and recover that by suing the passphrase for the HMK and KPK.

-----Original Message-----
From: Harpreet SINGH [mailto:harpreet_singh < at > ctl.creative.com]
Sent: Wednesday, March 10, 2010 8:20 PM
To: Judy Hinchcliffe
Cc: david < at > stanaway.net; veritas-bu < at > mailman.eng.auburn.edu; veritas-bu-bounces < at > mailman.eng.auburn.edu
Subject: Re: [Veritas-bu] KMS Key Rotation

Dear All,

Once you have setup the KMS and assuming you want to restore them. What is
the necessary info required to restore.

Pool Name ??
Key Name = ??
Key Tag ??
etc

Phase-1 and Phase-2 don't show this info.

From where we will get this info for the restore.

With Warm Regards
=-=-=-=-=-=-=-=-=-=-=-=-=-
Harpreet Singh Chana

Phone : (O) 6895 - 4326
Fax : (O) 6895 - 4991
=-=-=-=-=-=-=-=-=-=-=-=-=-


Notice
The information in this message is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
message by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of the message, or
any action taken by you in reliance on it, is prohibited and may be
unlawful. If you have received this message in error, please delete it
and contact the sender immediately. Thank you.





<judy_hinchcliffe
< at > administaff.com>
Sent by: To
veritas-bu-bounce <david < at > stanaway.net>,
s < at > mailman.eng.aub <veritas-bu < at > mailman.eng.auburn.edu>
urn.edu cc

Subject
03/09/2010 11:24 Re: [Veritas-bu] KMS Key Rotation
PM









I agree with David. I just started with KMS and the only change I have
made so far is to depreciated the testing key I was using and put in my
first production key. And I only did this after I did all the testing.
Expire tape, import tape. Expire tape, remove key, failed import. Recover
key, good import. Remove database, recover database. Remove database,
rebuild/recover database. Making sure pass phrase were secure and making
sure both my prod site and DR site could read each other’s tapes.

I am sure we will be changing keys, where I need to make sure I know the
start and retire date of a key/passphrase in case I come across an old
tape.

From: veritas-bu-bounces < at > mailman.eng.auburn.edu
[mailto:veritas-bu-bounces < at > mailman.eng.auburn.edu] On Behalf Of David
Stanaway
Sent: Monday, March 08, 2010 9:36 PM
To: veritas-bu < at > mailman.eng.auburn.edu
Subject: Re: [Veritas-bu] KMS Key Rotation

The limitation for the number of 'active' keytags in the keygroup dictates
that you don't rotate they keys too often. It is pretty easy to cycle the
keys out of the keygroup and recover them back in if you need, so don't let
that stifle your desired rotation config. Just make sure you have a bullet
proof way of making secure redundant hard copies of the keys, and test the
full lifecycle including restore from recovered key and have its
comfortable for your backup admins.


On 3/8/2010 6:00 PM, Adams, Dwayne wrote:
Hello,

I am working on setting up KMS. If you are using KMS in your environment,
do you rotate keys with your data sets? (Monthly, Yearly???) I have read
that it is a “Best Practice� to rotate your keys as the data encrypted with
that key expires. Are people really doing this with KMS? It is a tradeoff
between security and restore complexity. What are Netbackup Admins doing
in the “Real World�?

Thanks

Dwayne Adams


_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

ForwardSourceID:NT00143D92
_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

Hi,

You can also recover missing keys from the hashes or from the passwords.

Justin.

On Thu, 11 Mar 2010, judy_hinchcliffe < at > administaff.com wrote:

Really really read the chapter on kms

You have to save protect your passphrases.

You should run the command to list your keys (which shows keytags) and save that with your passphrases'.
If you have all that you should be able to recreate your keys. (keep in a secure place)

The kms chapter says over and over and over again, to verify you have all the info stored so you can recreate it.

You can also make a backup of your kms files to do a restore.
You can just backup the file that has the keys in and recover that by suing the passphrase for the HMK and KPK.

-----Original Message-----
From: Harpreet SINGH [mailto:harpreet_singh < at > ctl.creative.com]
Sent: Wednesday, March 10, 2010 8:20 PM
To: Judy Hinchcliffe
Cc: david < at > stanaway.net; veritas-bu < at > mailman.eng.auburn.edu; veritas-bu-bounces < at > mailman.eng.auburn.edu
Subject: Re: [Veritas-bu] KMS Key Rotation

Dear All,

Once you have setup the KMS and assuming you want to restore them. What is
the necessary info required to restore.

Pool Name ??
Key Name = ??
Key Tag ??
etc

Phase-1 and Phase-2 don't show this info.

From where we will get this info for the restore.

With Warm Regards
=-=-=-=-=-=-=-=-=-=-=-=-=-
Harpreet Singh Chana

Phone : (O) 6895 - 4326
Fax : (O) 6895 - 4991
=-=-=-=-=-=-=-=-=-=-=-=-=-


Notice
The information in this message is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
message by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of the message, or
any action taken by you in reliance on it, is prohibited and may be
unlawful. If you have received this message in error, please delete it
and contact the sender immediately. Thank you.





<judy_hinchcliffe
< at > administaff.com>
Sent by: To
veritas-bu-bounce <david < at > stanaway.net>,
s < at > mailman.eng.aub <veritas-bu < at > mailman.eng.auburn.edu>
urn.edu cc

Subject
03/09/2010 11:24 Re: [Veritas-bu] KMS Key Rotation
PM









I agree with David. I just started with KMS and the only change I have
made so far is to depreciated the testing key I was using and put in my
first production key. And I only did this after I did all the testing.
Expire tape, import tape. Expire tape, remove key, failed import. Recover
key, good import. Remove database, recover database. Remove database,
rebuild/recover database. Making sure pass phrase were secure and making
sure both my prod site and DR site could read each other?s tapes.

I am sure we will be changing keys, where I need to make sure I know the
start and retire date of a key/passphrase in case I come across an old
tape.

From: veritas-bu-bounces < at > mailman.eng.auburn.edu
[mailto:veritas-bu-bounces < at > mailman.eng.auburn.edu] On Behalf Of David
Stanaway
Sent: Monday, March 08, 2010 9:36 PM
To: veritas-bu < at > mailman.eng.auburn.edu
Subject: Re: [Veritas-bu] KMS Key Rotation

The limitation for the number of 'active' keytags in the keygroup dictates
that you don't rotate they keys too often. It is pretty easy to cycle the
keys out of the keygroup and recover them back in if you need, so don't let
that stifle your desired rotation config. Just make sure you have a bullet
proof way of making secure redundant hard copies of the keys, and test the
full lifecycle including restore from recovered key and have its
comfortable for your backup admins.


On 3/8/2010 6:00 PM, Adams, Dwayne wrote:
Hello,

I am working on setting up KMS. If you are using KMS in your environment,
do you rotate keys with your data sets? (Monthly, Yearly???) I have read
that it is a ?Best Practice? to rotate your keys as the data encrypted with
that key expires. Are people really doing this with KMS? It is a tradeoff
between security and restore complexity. What are Netbackup Admins doing
in the ?Real World??

Thanks

Dwayne Adams


_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

ForwardSourceID:NT00143D92
_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

Once you have setup the KMS and assuming you want to restore them.
What is
the necessary info required to restore.

Pool Name ??
Key Name = ??
Key Tag ??
etc

Phase-1 and Phase-2 don't show this info.

From where we will get this info for the restore.

Why are you importing the tapes? If you're restoring to the same
master which created them that's unnecessary.

But whether you've imported the images or the images are still on
their original server, the key tag is what you need, and that shows
up in the GUI (it's in the manual) for each image and, IIRC, in
bpimagelist. That key tag is what NetBackup matches against keys in
Active and Inactive status; if found, that key is used for
decryption.

If there is no matching key tag, you must restore/import/re-create
it from your documentation and/or the keystore backups you have
maintained. Example management of keys/changes/records has been
supplied earlier, notably by Hinchcliffe.

FYI, I have been told, but have not tested, that _all_ keys in the
keystore, regardless of keygroup, are tested when looking for a
decryption key.


_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

Bob said "FYI, I have been told, but have not tested, that _all_ keys in
the
keystore, regardless of keygroup, are tested when looking for a
decryption key."

I have to agree that is true....

I did a test of a tape made in SiteA, sent to SiteB
When I put the tape in the library - it did NOT go into my ENCR
Volumepool
I did the phase1 and I checked that the keytag matched one in my SiteB
kms.
I was then able to do the phase2

The point is - the keytag HAS to match something in the kms.

-----Original Message-----
From: bob944 [mailto:bob944 < at > attglobal.net]
Sent: Friday, March 12, 2010 1:22 PM
To: veritas-bu < at > mailman.eng.auburn.edu
Cc: harpreet_singh < at > ctl.creative.com
Subject: RE: [Veritas-bu] KMS Key Rotation

Once you have setup the KMS and assuming you want to restore them.
What is
the necessary info required to restore.

Pool Name ??
Key Name = ??
Key Tag ??
etc

Phase-1 and Phase-2 don't show this info.

From where we will get this info for the restore.

Why are you importing the tapes? If you're restoring to the same
master which created them that's unnecessary.

But whether you've imported the images or the images are still on
their original server, the key tag is what you need, and that shows
up in the GUI (it's in the manual) for each image and, IIRC, in
bpimagelist. That key tag is what NetBackup matches against keys in
Active and Inactive status; if found, that key is used for
decryption.

If there is no matching key tag, you must restore/import/re-create
it from your documentation and/or the keystore backups you have
maintained. Example management of keys/changes/records has been
supplied earlier, notably by Hinchcliffe.

FYI, I have been told, but have not tested, that _all_ keys in the
keystore, regardless of keygroup, are tested when looking for a
decryption key.




_______________________________________________
Veritas-bu maillist - Veritas-bu < at > mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu