Using Fortanix Data Security Manager with Veritas NetBackup

1.0 Introduction

This article describes how to use Fortanix Data Security Manager (DSM) to encrypt Veritas NetBackup storage.

2.0 Fortanix Data Security Manager

Fortanix DSM is the world's first cloud solution secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, and secrets, such as passwords, API keys, tokens, or any blob of data.

3.0 Prerequisites

  • Fortanix DSM version 3.27 or later is installed and operational.

4.0 Setting up the Fortanix Data Security Manager

4.1 Create New Veritas Instance

  1. Sign up at
  2. Log in to the Fortanix DSM UI.
  3. Click the Integrations tab in the left panel.
  4. On the Integrations page, click ADD INSTANCE on the Veritas wizard.
  5. Enter the following details:
    1. Add Instance: This is the name to identify the instance created.
    2. Authentication method:
      • API key: This method authenticates the application with the API Gateway.
      • Client Certificate: This method is used to authenticate the application with Fortanix DSM using a Client Certificate. Refer to Section 4.2.
  6. Select API key as the authentication method.
  7. Click SAVE INSTANCE. Veritas-CreateInstance.png
    Figure 1: Create instance

With creating an instance, a new group and app are created within Fortanix DSM.

4.2 Authenticate Using a Client Certificate

  1. In the Veritas instance table, under the Credentials column, for the instance created, click VIEW CREDENTIALS.
  2. In the "View credentials" dialog box, select the USERNAME/PASSWORD tab and copy the Username (app UUID). CopyUUID.png
    Figure 2: Copy UUID
  3. To generate a client certificate and private key, use OpenSSL, and create a new key+cert with CN=FORTANIX_APP_UUID.
    export FORTANIX_APP_UUID= dddfc828-6542-4724-9a1b-fa04c2a02201

    openssl req -newkey rsa:2048 -nodes -keyout netbackup.key -x509 -days 365 -out netbackup.crt -subj \
    "/C=US/ST=California/L=Mountain View/O=Fortanix, Inc./OU=SE/CN=$FORTANIX_APP_UUID"
  4. Now, go to the detailed view of the app that the instance automatically created.
  5. In the app's detailed view, click Change the authentication method and select Certificate to change the authentication method to Certificate.
  6. Click SAVE.
  7. In the Add certificate dialog box, copy or upload the  Certificate generated in Step 3 above in the Upload certificate text box and update the authentication method. AppCert.png
    Figure 3: App certificate

5.0 Configuration on Veritas Backup

In this article, Veritas NetBackup is installed on Windows. To install it on Linux, contact the Fortanix Customer Success Team.
  1. Go to the installation location where NetBackup is installed on Windows.
  2. In this example, NetBackup is installed in the default location, that is, C:/Program Files/Veritas/NetBackup/bin
  3. NetBackup comes with in-built KMS Commands. The command nbkmscmd.exe can be configured with Fortanix Key Management Solution.

5.1 Key Management Service (KMS) Operations

  • -configureKMS - Adds an entry for the KMS configuration in the NetBackup database.
  • -deleteKMSConfig - Deletes the KMS configuration entry from the NetBackup database.
  • -listKMSConfig - Lists the details of the specified KMS configuration in JSON format.
  • -updateKMSConfig - Updates the specified KMS configuration in the NetBackup database.
  • -discoverNBKMS - Discovers whether the NetBackup KMS is configured and running and adds it to NetBackup.
  • -validateKMSConfig - Validates the functionality with the specified KMS configuration and ensures that backup and restore functionality works.
  • -precheckKMSConfig - Performs a dry run of KMS configuration operations to validate the required connections and setup.

5.2 Credentials Management Operations

  • -configureCredential - Adds the KMS configuration credential in the NetBackup database. The credential ID and its credential name are added in the database.
  • -deleteCredential - Deletes the specified KMS configuration credential from the NetBackup database.
  • -listCredential - Lists the details of the specified KMS configuration credential in JSON format. If the credential name or ID is not specified, the credential details for all KMS configurations are listed.
  • -updateCredential - Updates the specified KMS configuration credential.

5.3 Key Management Operations

  • -createKey - Creates an active NetBackup key in the KMS server that is associated with the provided configuration name.
    To create a key, the KMS server should allow NetBackup to create a key and set NetBackup attributes on that key.
    For NetBackup KMS, If the specified key-group name does not exist, the key-group is created with the specified algorithm.
  • -listKeys - Lists the NetBackup keys from the specified KMS configuration in JSON format.

5.4 Configuration Steps on Veritas Netbackup

  1. Create the API Key in Veritas NetBackup Security Access Keys. Copy the API key for the next step.Netbackup-API_key.png
    Figure 4: Create API key in Veritas
  2. Log in to NBKMSCMD.EXE from the command prompt. NBKMSCMD.png
    Figure 5: Log in to NBKMSCMD
    The API key can only be retrieved from NetBackup WebUI during API key creation.
  3. For creating the credentials in NetBackup you need the following:
      1. OpenSSL self-signed certificate created with App UUID uploaded in Fortanix DSM App UI.
      2. The private key associated with the certificate.
      3. Fortanix DSM certificate chain (which can be downloaded from the browser).

    After these are available, you can configure KMS credentials from NetBackup UI under Credential Management or from CLI as described here. Ensure to note down the credential ID.

  4. Configure the KMS in Fortanix as shown below: ConfigureKMS.png
    Figure 6: Configure KMS
    • -name: Arbitrary name of the external KMS such as Fortanix, FortanixKMS, and so on.
    • -kmsServerNake: DSM endpoint such as
    • -credId: Credential ID created earlier in NetBackup Credential Management.
    • -enabledForBackup: Set to 1 indicating true.
  5. Verify if the KMS has been configured. KMSVerify.png
    Figure 7: Verify KMS
  6. Create a key with NetBackup CLI in Fortanix DSM.
    nbkmscmd.exe -createKey -name Fortanix –keyName <fortanixtestkey> –keyGroupName <NTBKP_GRP_NAME> –algorithm aes256
    • -name: Name of the KMS configured in Step 4.
    • <fortanixtestkey>: Key Name to be created in Fortanix DSM.
    • <NTBKP_GRP_NAME>: Netbackup Key group name.
    Check KMIP port connectivity to the DSM endpoint if the key creation command gets stuck. For example,
    nc –v 5696
  7. After the command runs successfully, run the following command to list the keys:
    nbkmscmd.exe -listKeys -name Fortanix
  8. For key rotation, run the same command in Step 6 with a new key name. NetBackup will pick the most recently created key from the key group.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful