I agree with David.  I just started with KMS and the only change I have made so far is to depreciated the testing key I was using and put in my first production key.  And I only did this after I did all the testing. Expire tape, import tape. Expire tape, remove key, failed import. Recover key, good import. Remove database, recover database. Remove database, rebuild/recover database. Making sure pass phrase were secure and making sure both my prod site and DR site could read each other’s tapes.

 

I am sure we will be changing keys, where I need to make sure I know the start and retire date of a key/passphrase in case I come across an old tape.

 

 

The limitation for the number of 'active' keytags in the keygroup dictates that you don't rotate they keys too often. It is pretty easy to cycle the keys out of the keygroup and recover them back in if you need, so don't let that stifle your desired rotation config. Just make sure you have a bullet proof way of making secure redundant hard copies of the keys, and test the full lifecycle including restore from recovered key and have its comfortable for your backup admins.


On 3/8/2010 6:00 PM, Adams, Dwayne wrote:

Hello,

 

I am working on setting up KMS.  If you are using KMS in your environment, do you rotate keys with your data sets? (Monthly, Yearly???) I have read that it is a “Best Practice” to rotate your keys as the data encrypted with that key expires.  Are people really doing this with KMS?  It is a tradeoff between security and restore complexity.  What are Netbackup Admins doing in the “Real World”?

 

Thanks

 

Dwayne Adams

_______________________________________________

Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu

http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu