Really really read the chapter on kms You have to save protect your passphrases.
You should run the command to list your keys (which shows keytags) and save that with your passphrases'. If you have all that you should be able to recreate your keys. (keep in a secure place) The kms chapter says over and over and over again, to verify you have all the info stored so you can recreate it. You can also make a backup of your kms files to do a restore. You can just backup the file that has the keys in and recover that by suing the passphrase for the HMK and KPK. -----Original Message----- From: Harpreet SINGH [mailto:harpreet_si...@ctl.creative.com] Sent: Wednesday, March 10, 2010 8:20 PM To: Judy Hinchcliffe Cc: da...@stanaway.net; veritas-bu@mailman.eng.auburn.edu; veritas-bu-boun...@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] KMS Key Rotation Dear All, Once you have setup the KMS and assuming you want to restore them. What is the necessary info required to restore. Pool Name ?? Key Name = ?? Key Tag ?? etc Phase-1 and Phase-2 don't show this info. From where we will get this info for the restore. With Warm Regards =-=-=-=-=-=-=-=-=-=-=-=-=- Harpreet Singh Chana Phone : (O) 6895 - 4326 Fax : (O) 6895 - 4991 =-=-=-=-=-=-=-=-=-=-=-=-=- Notice The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of the message, or any action taken by you in reliance on it, is prohibited and may be unlawful. If you have received this message in error, please delete it and contact the sender immediately. Thank you. <judy_hinchcliffe @administaff.com> Sent by: To veritas-bu-bounce <da...@stanaway.net>, s...@mailman.eng.aub <veritas-bu@mailman.eng.auburn.edu> urn.edu cc Subject 03/09/2010 11:24 Re: [Veritas-bu] KMS Key Rotation PM I agree with David. I just started with KMS and the only change I have made so far is to depreciated the testing key I was using and put in my first production key. And I only did this after I did all the testing. Expire tape, import tape. Expire tape, remove key, failed import. Recover key, good import. Remove database, recover database. Remove database, rebuild/recover database. Making sure pass phrase were secure and making sure both my prod site and DR site could read each other’s tapes. I am sure we will be changing keys, where I need to make sure I know the start and retire date of a key/passphrase in case I come across an old tape. From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of David Stanaway Sent: Monday, March 08, 2010 9:36 PM To: veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] KMS Key Rotation The limitation for the number of 'active' keytags in the keygroup dictates that you don't rotate they keys too often. It is pretty easy to cycle the keys out of the keygroup and recover them back in if you need, so don't let that stifle your desired rotation config. Just make sure you have a bullet proof way of making secure redundant hard copies of the keys, and test the full lifecycle including restore from recovered key and have its comfortable for your backup admins. On 3/8/2010 6:00 PM, Adams, Dwayne wrote: Hello, I am working on setting up KMS. If you are using KMS in your environment, do you rotate keys with your data sets? (Monthly, Yearly???) I have read that it is a “Best Practice” to rotate your keys as the data encrypted with that key expires. Are people really doing this with KMS? It is a tradeoff between security and restore complexity. What are Netbackup Admins doing in the “Real World”? Thanks Dwayne Adams _______________________________________________ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu _______________________________________________ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ForwardSourceID:NT00143D92 _______________________________________________ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu