Veritas-bu
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Veritas-bu] KMS Key Rotation

2010-03-11 11:17:27
Subject: Re: [Veritas-bu] KMS Key Rotation
From: Justin Piszcz <jpiszcz AT lucidpixels DOT com>
To: judy_hinchcliffe AT administaff DOT com
Date: Thu, 11 Mar 2010 11:17:21 -0500 (EST) 
Hi,

You can also recover missing keys from the hashes or from the passwords.

Justin.

On Thu, 11 Mar 2010, judy_hinchcliffe AT administaff DOT com wrote:

> Really really read the chapter on kms
>
> You have to save protect your passphrases.
>
> You should run the command to list your keys (which shows keytags) and save 
> that with your passphrases'.
> If you have all that you should be able to recreate your keys.  (keep in a 
> secure place)
>
> The kms chapter says over and over and over again, to verify you have all the 
> info stored so you can recreate it.
>
> You can also make a backup of your kms files to do a restore.
> You can just backup the file that has the keys in and recover that by suing 
> the passphrase for the HMK and KPK.
>
> -----Original Message-----
> From: Harpreet SINGH [mailto:harpreet_singh AT ctl.creative DOT com]
> Sent: Wednesday, March 10, 2010 8:20 PM
> To: Judy Hinchcliffe
> Cc: david AT stanaway DOT net; veritas-bu AT mailman.eng.auburn DOT edu; 
> veritas-bu-bounces AT mailman.eng.auburn DOT edu
> Subject: Re: [Veritas-bu] KMS Key Rotation
>
> Dear All,
>
> Once you have setup the KMS and assuming you want to restore them. What is
> the necessary info required to restore.
>
> Pool Name ??
> Key Name = ??
> Key Tag ??
> etc
>
> Phase-1 and Phase-2 don't show this info.
>
> From where we will get this info for the restore.
>
> With Warm Regards
> =-=-=-=-=-=-=-=-=-=-=-=-=-
> Harpreet Singh Chana
>
> Phone  :   (O) 6895 - 4326
> Fax       :    (O) 6895 - 4991
> =-=-=-=-=-=-=-=-=-=-=-=-=-
>
>
> Notice
> The information in this message is confidential and may be legally
> privileged.  It is intended solely for the addressee.  Access to this
> message by anyone else is unauthorized.  If you are not the intended
> recipient,  any disclosure,  copying or distribution of the message,  or
> any action taken by you in reliance on it,  is prohibited and may be
> unlawful.  If you have received this message in error,  please delete it
> and contact the sender immediately.  Thank you.
>
>
>
>
>
>             <judy_hinchcliffe
>             @administaff.com>
>             Sent by:                                                   To
>             veritas-bu-bounce         <david AT stanaway DOT net>,
>             s AT mailman.eng DOT aub         <veritas-bu AT 
> mailman.eng.auburn DOT edu>
>             urn.edu                                                    cc
>
>                                                                   Subject
>             03/09/2010 11:24          Re: [Veritas-bu] KMS Key Rotation
>             PM
>
>
>
>
>
>
>
>
>
> I agree with David.  I just started with KMS and the only change I have
> made so far is to depreciated the testing key I was using and put in my
> first production key.  And I only did this after I did all the testing.
> Expire tape, import tape. Expire tape, remove key, failed import. Recover
> key, good import. Remove database, recover database. Remove database,
> rebuild/recover database. Making sure pass phrase were secure and making
> sure both my prod site and DR site could read each other?s tapes.
>
> I am sure we will be changing keys, where I need to make sure I know the
> start and retire date of a key/passphrase in case I come across an old
> tape.
>
> From: veritas-bu-bounces AT mailman.eng.auburn DOT edu
> [mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of David
> Stanaway
> Sent: Monday, March 08, 2010 9:36 PM
> To: veritas-bu AT mailman.eng.auburn DOT edu
> Subject: Re: [Veritas-bu] KMS Key Rotation
>
> The limitation for the number of 'active' keytags in the keygroup dictates
> that you don't rotate they keys too often. It is pretty easy to cycle the
> keys out of the keygroup and recover them back in if you need, so don't let
> that stifle your desired rotation config. Just make sure you have a bullet
> proof way of making secure redundant hard copies of the keys, and test the
> full lifecycle including restore from recovered key and have its
> comfortable for your backup admins.
>
>
> On 3/8/2010 6:00 PM, Adams, Dwayne wrote:
> Hello,
>
> I am working on setting up KMS.  If you are using KMS in your environment,
> do you rotate keys with your data sets? (Monthly, Yearly???) I have read
> that it is a ?Best Practice? to rotate your keys as the data encrypted with
> that key expires.  Are people really doing this with KMS?  It is a tradeoff
> between security and restore complexity.  What are Netbackup Admins doing
> in the ?Real World??
>
> Thanks
>
> Dwayne Adams
>
>
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
> ForwardSourceID:NT00143D92
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Veritas-bu] KMS Key Rotation, judy_hinchcliffe
Next by Date:  [Veritas-bu] New drive not showing in Device Monitor, lookn4me
Previous by Thread:  Re: [Veritas-bu] KMS Key Rotation, judy_hinchcliffe
Next by Thread:  Re: [Veritas-bu] Veritas-bu Digest, Vol 47, Issue 8, WALLEBROEK Bart
Indexes:  [Date] [Thread] [Top] [All Lists]