Veritas-bu

Re: [Veritas-bu] KMS Key Rotation

2010-03-08 22:36:34
Subject: Re: [Veritas-bu] KMS Key Rotation
From: David Stanaway <david AT stanaway DOT net>
To: veritas-bu AT mailman.eng.auburn DOT edu
Date: Mon, 08 Mar 2010 21:35:38 -0600
The limitation for the number of 'active' keytags in the keygroup dictates that you don't rotate they keys too often. It is pretty easy to cycle the keys out of the keygroup and recover them back in if you need, so don't let that stifle your desired rotation config. Just make sure you have a bullet proof way of making secure redundant hard copies of the keys, and test the full lifecycle including restore from recovered key and have its comfortable for your backup admins.


On 3/8/2010 6:00 PM, Adams, Dwayne wrote:

Hello,

 

I am working on setting up KMS.  If you are using KMS in your environment, do you rotate keys with your data sets? (Monthly, Yearly???) I have read that it is a “Best Practice” to rotate your keys as the data encrypted with that key expires.  Are people really doing this with KMS?  It is a tradeoff between security and restore complexity.  What are Netbackup Admins doing in the “Real World”?

 

Thanks

 

Dwayne Adams

_______________________________________________ Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu