Hi, You can also recover missing keys from the hashes or from the passwords.
Justin. On Thu, 11 Mar 2010, judy_hinchcli...@administaff.com wrote: > Really really read the chapter on kms > > You have to save protect your passphrases. > > You should run the command to list your keys (which shows keytags) and save > that with your passphrases'. > If you have all that you should be able to recreate your keys. (keep in a > secure place) > > The kms chapter says over and over and over again, to verify you have all the > info stored so you can recreate it. > > You can also make a backup of your kms files to do a restore. > You can just backup the file that has the keys in and recover that by suing > the passphrase for the HMK and KPK. > > -----Original Message----- > From: Harpreet SINGH [mailto:harpreet_si...@ctl.creative.com] > Sent: Wednesday, March 10, 2010 8:20 PM > To: Judy Hinchcliffe > Cc: da...@stanaway.net; veritas-bu@mailman.eng.auburn.edu; > veritas-bu-boun...@mailman.eng.auburn.edu > Subject: Re: [Veritas-bu] KMS Key Rotation > > Dear All, > > Once you have setup the KMS and assuming you want to restore them. What is > the necessary info required to restore. > > Pool Name ?? > Key Name = ?? > Key Tag ?? > etc > > Phase-1 and Phase-2 don't show this info. > > From where we will get this info for the restore. > > With Warm Regards > =-=-=-=-=-=-=-=-=-=-=-=-=- > Harpreet Singh Chana > > Phone : (O) 6895 - 4326 > Fax : (O) 6895 - 4991 > =-=-=-=-=-=-=-=-=-=-=-=-=- > > > Notice > The information in this message is confidential and may be legally > privileged. It is intended solely for the addressee. Access to this > message by anyone else is unauthorized. If you are not the intended > recipient, any disclosure, copying or distribution of the message, or > any action taken by you in reliance on it, is prohibited and may be > unlawful. If you have received this message in error, please delete it > and contact the sender immediately. Thank you. > > > > > > <judy_hinchcliffe > @administaff.com> > Sent by: To > veritas-bu-bounce <da...@stanaway.net>, > s...@mailman.eng.aub <veritas-bu@mailman.eng.auburn.edu> > urn.edu cc > > Subject > 03/09/2010 11:24 Re: [Veritas-bu] KMS Key Rotation > PM > > > > > > > > > > I agree with David. I just started with KMS and the only change I have > made so far is to depreciated the testing key I was using and put in my > first production key. And I only did this after I did all the testing. > Expire tape, import tape. Expire tape, remove key, failed import. Recover > key, good import. Remove database, recover database. Remove database, > rebuild/recover database. Making sure pass phrase were secure and making > sure both my prod site and DR site could read each other?s tapes. > > I am sure we will be changing keys, where I need to make sure I know the > start and retire date of a key/passphrase in case I come across an old > tape. > > From: veritas-bu-boun...@mailman.eng.auburn.edu > [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of David > Stanaway > Sent: Monday, March 08, 2010 9:36 PM > To: veritas-bu@mailman.eng.auburn.edu > Subject: Re: [Veritas-bu] KMS Key Rotation > > The limitation for the number of 'active' keytags in the keygroup dictates > that you don't rotate they keys too often. It is pretty easy to cycle the > keys out of the keygroup and recover them back in if you need, so don't let > that stifle your desired rotation config. Just make sure you have a bullet > proof way of making secure redundant hard copies of the keys, and test the > full lifecycle including restore from recovered key and have its > comfortable for your backup admins. > > > On 3/8/2010 6:00 PM, Adams, Dwayne wrote: > Hello, > > I am working on setting up KMS. If you are using KMS in your environment, > do you rotate keys with your data sets? (Monthly, Yearly???) I have read > that it is a ?Best Practice? to rotate your keys as the data encrypted with > that key expires. Are people really doing this with KMS? It is a tradeoff > between security and restore complexity. What are Netbackup Admins doing > in the ?Real World?? > > Thanks > > Dwayne Adams > > > _______________________________________________ > Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu > http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu > > _______________________________________________ > Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu > http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu > > ForwardSourceID:NT00143D92 > _______________________________________________ > Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu > http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu _______________________________________________ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu