We have tape encryption setup using KMS on Netbackup 7.5.0.6, The master server is Win2008 R2. I'm looking at the best way to backup KMS.
We plan to keep a paper copy of passphrases and key tag IDs so we can recreate the database entirely from scratch in a DR scenario. But we also want to perform regular backups of the database and host and key protection key files.
We can't backup the database to encrypted tape, because we'd need the keys to decrypt them. However if we back them up to tape using a dedicated media pool without encryption then we might as well not bother with the encryption because the keys would be available if the tapes fell into the wrong hands. Therefore backing them up to tape seems pointless. We first stage our backups to Data Domain, one local and one on a remote site replicating to each other. So regular backups to Data Domain seems the best approach.
Does that seem sensible?
A question about the "nbkmsutil -quiescedb" command. It sets the key database into a read-only state, does that mean that the only actions you can't perform are create or modify keys, key groups etc? I can setup a series of events using our scheduling tool to do the following:
1) run "nbkmsutil -quiescedb"
2) start a backup of the three KMS files to Data Domain
3) When backup completes run "nbkmsutil -noquiescedb"
I'm concerned that the backup may take some time to complete because we often have many backups queued up overnight. But as I understand it the quiescedb command won't affect normal tape writes and reads - it only prevents actual config changes to the keys such as create or modify. So it wouldn't matter if the keys were quiesced for several hours. Am I right?
Thanks