Hi,
You can also recover missing keys from the hashes or from the passwords.
Justin.
On Thu, 11 Mar 2010, judy_hinchcliffe AT administaff DOT com wrote:
> Really really read the chapter on kms
>
> You have to save protect your passphrases.
>
> You should run the command to list your keys (which shows keytags) and save
> that with your passphrases'.
> If you have all that you should be able to recreate your keys. (keep in a
> secure place)
>
> The kms chapter says over and over and over again, to verify you have all the
> info stored so you can recreate it.
>
> You can also make a backup of your kms files to do a restore.
> You can just backup the file that has the keys in and recover that by suing
> the passphrase for the HMK and KPK.
>
> -----Original Message-----
> From: Harpreet SINGH [mailto:harpreet_singh AT ctl.creative DOT com]
> Sent: Wednesday, March 10, 2010 8:20 PM
> To: Judy Hinchcliffe
> Cc: david AT stanaway DOT net; veritas-bu AT mailman.eng.auburn DOT edu;
> veritas-bu-bounces AT mailman.eng.auburn DOT edu
> Subject: Re: [Veritas-bu] KMS Key Rotation
>
> Dear All,
>
> Once you have setup the KMS and assuming you want to restore them. What is
> the necessary info required to restore.
>
> Pool Name ??
> Key Name = ??
> Key Tag ??
> etc
>
> Phase-1 and Phase-2 don't show this info.
>
> From where we will get this info for the restore.
>
> With Warm Regards
> =-=-=-=-=-=-=-=-=-=-=-=-=-
> Harpreet Singh Chana
>
> Phone : (O) 6895 - 4326
> Fax : (O) 6895 - 4991
> =-=-=-=-=-=-=-=-=-=-=-=-=-
>
>
> Notice
> The information in this message is confidential and may be legally
> privileged. It is intended solely for the addressee. Access to this
> message by anyone else is unauthorized. If you are not the intended
> recipient, any disclosure, copying or distribution of the message, or
> any action taken by you in reliance on it, is prohibited and may be
> unlawful. If you have received this message in error, please delete it
> and contact the sender immediately. Thank you.
>
>
>
>
>
> <judy_hinchcliffe
> @administaff.com>
> Sent by: To
> veritas-bu-bounce <david AT stanaway DOT net>,
> s AT mailman.eng DOT aub <veritas-bu AT
> mailman.eng.auburn DOT edu>
> urn.edu cc
>
> Subject
> 03/09/2010 11:24 Re: [Veritas-bu] KMS Key Rotation
> PM
>
>
>
>
>
>
>
>
>
> I agree with David. I just started with KMS and the only change I have
> made so far is to depreciated the testing key I was using and put in my
> first production key. And I only did this after I did all the testing.
> Expire tape, import tape. Expire tape, remove key, failed import. Recover
> key, good import. Remove database, recover database. Remove database,
> rebuild/recover database. Making sure pass phrase were secure and making
> sure both my prod site and DR site could read each other?s tapes.
>
> I am sure we will be changing keys, where I need to make sure I know the
> start and retire date of a key/passphrase in case I come across an old
> tape.
>
> From: veritas-bu-bounces AT mailman.eng.auburn DOT edu
> [mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of David
> Stanaway
> Sent: Monday, March 08, 2010 9:36 PM
> To: veritas-bu AT mailman.eng.auburn DOT edu
> Subject: Re: [Veritas-bu] KMS Key Rotation
>
> The limitation for the number of 'active' keytags in the keygroup dictates
> that you don't rotate they keys too often. It is pretty easy to cycle the
> keys out of the keygroup and recover them back in if you need, so don't let
> that stifle your desired rotation config. Just make sure you have a bullet
> proof way of making secure redundant hard copies of the keys, and test the
> full lifecycle including restore from recovered key and have its
> comfortable for your backup admins.
>
>
> On 3/8/2010 6:00 PM, Adams, Dwayne wrote:
> Hello,
>
> I am working on setting up KMS. If you are using KMS in your environment,
> do you rotate keys with your data sets? (Monthly, Yearly???) I have read
> that it is a ?Best Practice? to rotate your keys as the data encrypted with
> that key expires. Are people really doing this with KMS? It is a tradeoff
> between security and restore complexity. What are Netbackup Admins doing
> in the ?Real World??
>
> Thanks
>
> Dwayne Adams
>
>
> _______________________________________________
> Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
> _______________________________________________
> Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
> ForwardSourceID:NT00143D92
> _______________________________________________
> Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
_______________________________________________
Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
|