Using Fortanix Data Security Manager with Veritas NetBackup

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with the NetBackup to encrypt Veritas NetBackup storage.

NetBackup supports external Key Management Systems (KMS) through the Key Management Interoperability Protocol (KMIP) to perform data-at-rest encryption. By integrating with Fortanix DSM, backup images stored on various storage configurations, such as tape, cloud, Cloud Catalyst, Media Server Deduplication Pool (MSDP), and AdvancedDisk, can be securely encrypted.

This integration ensures secure encryption and centralized management of encryption keys, enhancing the security of stored backup data.

2.0 Product Tested Version

The following product versions were tested:

• Fortanix DSM version 4.13 and above.

• NetBackup version 8.3, 9.0, and 9.1.

3.0 Prerequisites

Ensure the following:

• Fortanix DSM version 4.13 or later is installed on the system.

4.0 Architecture Diagram

Integrating Fortanix Data Security Manager (DSM) with Veritas NetBackup allows you to manage encryption keys more effectively. Fortanix DSM acts as an external Key Management Service (KMS), which NetBackup can use to encrypt and decrypt data. This enables encryption for various storage types such as AdvancedDisk, cloud storage, and encrypted tape drives.

NetBackup allows you to prioritize multiple external KMS servers. During encryption or decryption, NetBackup will use the keys from the server with the highest priority. You can adjust these priorities as needed to ensure efficient key management.

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

5.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

6.0 Create a New Veritas Instance

Perform the following steps:

1. Log into the Fortanix DSM user interface (UI). On-premises customers use KMS URL and the SaaS customers can use the URLs as listed here based on the application region.

2. Click the Integrations menu item in the DSM left navigation bar and select the Storage Encryption category.

3. Click the + button add an instance on the Veritas wizard.

4. On the Add Instance page, do the following:

   • Add Instance: Enter a title for your instance.

   • Authentication method: Select the API Key radio button.

     • The API Key option authenticates the application with the API Gateway.

     • The Client Certificate option authenticates the application with Fortanix DSM using a Client Certificate. For more information, refer to Section 6.1: Authenticate Using a Client Certificate.

   • Set app secret key size: Select the application (app) key size from the available options in bytes.

5. Click the SAVE INSTANCE button.  

   

NOTE

With creating an instance, a new group and app are created within Fortanix DSM.

6.1 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the app created in the Section 6.0: Create a new Veritas Instance to go to the detailed view of the app. The name of the app starts with ftx_integration_veritas_<instance_name>.

2. From the top of the app’s page, copy the app UUID to be used in Section 6.2: Generating the Certificate as the value of Common Name (CN) to generate the self-signed certificate and a private key.  

6.2 Generating the Certificate

Perform the following steps to generate a client certificate and private key:

1. On the NetBackup server SSH terminal.

2. Use OpenSSL to generate a client certificate and private key to create a new key+cert with CN=FORTANIX_APP_UUID:

    $ export FORTANIX_APP_UUID= dddfc828-6542-4724-9a1b-fa04c2a02201
         openssl req -newkey rsa:2048 -nodes -keyout netbackup.key -x509 -days
         365 -out netbackup.crt -subj \
   
         "/C=US/ST=California/L=Mountain View/O=Fortanix, Inc./OU=SE/CN=$FORTANIX_APP_UUID"

6.3 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 6.0: Create a new Veritas Instance and click the Change authentication method button and select the Certificate option to change the authentication method to Certificate. The name of the app starts with ftx_integration_veritas_<instance_name>.

2. Click the SAVE button.

3. On the Add certificate dialog box, click the UPLOAD NEW CERTIFICATE button to upload the certificate file or paste the content of the certificate generated in previous section.

4. Select both the check boxes to confirm your understanding about the action.

5. Click the UPDATE button to save the changes.

7.0 Configuration on Veritas Backup

Go to the location where NetBackup is installed on Windows. In this example, NetBackup is installed in the default location, that is, C:/Program Files/Veritas/NetBackup/bin

NetBackup comes with in-built Key Management System (KMS) commands. The nbkmscmd.exe command can be configured with Fortanix KMS.

7.1 Key Management Service (KMS) Operations

• -configureKMS - Adds an entry for the KMS configuration in the NetBackup database.

• -deleteKMSConfig - Deletes the KMS configuration entry from the NetBackup database.

• -listKMSConfig - Lists the details of the specified KMS configuration in JSON format.

• -updateKMSConfig - Updates the specified KMS configuration in the NetBackup database.

• -discoverNBKMS - Discovers whether the NetBackup KMS is configured and running and adds it to NetBackup.

• -validateKMSConfig - Validates the functionality with the specified KMS configuration and ensures that backup and restore functionality works.

• -precheckKMSConfig - Performs a dry run of KMS configuration operations to validate the required connections and setup.

7.2 Credentials Management Operations

• -configureCredential - Adds the KMS configuration credential in the NetBackup database. The credential ID and its credential name are added in the database.

• -deleteCredential - Deletes the specified KMS configuration credential from the NetBackup database.

• -listCredential - Lists the details of the specified KMS configuration credential in JSON format. If the credential name or ID is not specified, the credential details for all KMS configurations are listed.

• -updateCredential - Updates the specified KMS configuration credential.

7.3 Key Management Operations

• -createKey - Creates an active NetBackup key in the KMS server that is associated with the provided configuration name.
  To create a key, the KMS server should allow NetBackup to create a key and set NetBackup attributes on that key.
  For NetBackup KMS, If the specified key-group name does not exist, the key-group is created with the specified algorithm.

• -listKeys - Lists the NetBackup keys from the specified KMS configuration in JSON format.

7.4 Configuration Steps on Veritas Netbackup

Perform the following steps to configure Veritas NetBackup with Fortanix DMS:

1. Log into the Veritas NetBackup application.

2. Navigate to Access keys menu item from the left navigation menu and create the API Key.
   For detailed information, refer to the Add an API Key documentation.

3. Copy the API key to be used in the steps later.

   

4. Open the command prompt and log in to NBKMSCMD.EXE :

   Bpnbat.exe -login -loginType APIKEY 
   Master server: netbakup 
   Login Name: netbackup 
   API KEY: ***************************************************** 
   Operation completed successfully.

   NOTE

   The API key can only be retrieved from NetBackup web user interface (UI) during API key creation.

5. Prepare the following items for creating the credentials in NetBackup:

   1. OpenSSL self-signed certificate created with app UUID uploaded in the Fortanix DSM app UI.

   2. The private key associated with the certificate.

   3. Fortanix DSM certificate chain and can be downloaded from the browser.

      After these items are available, you can configure KMS credential from the NetBackup UI under Credential Management or from CLI as described here. Ensure to note down the credential ID.

6. Run the following command to configure the KMS in the Fortanix DSM:

   C:\Program Files\Veritas\NetBackup\binnbkmscmd.exe -configureKMS -name Fortanix -type KMIP -kmsServerName DSM_END_POINT -port 5696 -credId 15ac40a8-a07a738a28d04f3f -enabledForBackup 1 -description Fortanix
   The KMS configuration is successfully added in the NetBackup database.
   

   Where,

   • -name refers to the arbitrary name of the external KMS such as Fortanix, FortanixKMS, and so on.

   • -kmsServerName refers to the Fortanix DSM endpoint such as eu.smartkey.io.

   • -credId refers to the credential ID created earlier in NetBackup Credential Management.

   • -enabledForBackup is set to 1, indicating true.

7. Run the following command to verify if the KMS has been configured:

   $ C:\Program Files\Veritas\NetBackup\binnbkmscmd.exe -listKMSConfig
   
   "Data": [
       {
           "Attributes": {
               "Configuration Name": "Fortanix",
               "KMS Type": "KMIP",
               "Description": "Fortanix",
               "Enabled for Backup": true,
               "KMS Server Priority": 0,
               "KMIP Attributes": {
                   "KMS Port": 5696,
                   "KMS Server Name": "Fortanix",
                   "Credential ID": "15ac2687-35aa-40a8-a07a-738a28d04f3f"
               }
           }
       }
   ]

8. Run the following command to create a key with NetBackup CLI in the Fortanix DSM:

   nbkmscmd.exe -createKey -name Fortanix –keyName <fortanixtestkey> –keyGroupName <NTBKP_GRP_NAME> –algorithm aes256

   Where,

   • -name refers to the name of the KMS configured in Step 6.

   • <fortanixtestkey> refers to the key name to be created in Fortanix DSM.

   • <NTBKP_GRP_NAME> refers to the Netbackup key group name.

   NOTE

   If the key creation command becomes stuck, check the KMIP port connectivity to the Fortanix DSM endpoint. For example,  

   nc –v amer.smartkey.io 5696

9. Run the following command to list the keys:

   nbkmscmd.exe -listKeys -name Fortanix

10. For key rotation, run the same command as key create with a new key name. NetBackup will pick the most recently created key from the key group.

8.0 Sample Backup Procedure

This section provides sample backup using MSDP storage to demonstrate how to use encryption keys.

8.1 Create MSDP Storage with Encryption

Perform the following steps to ensure that backups stored in MSDP storage are encrypted:

1. Select the Enable Encryption and Enable KMS check boxes when creating the storage.

   

2. Review the summary on the Storage Server Configuration Wizard.

   

3. Click the Next button to finish the procedure.

For detailed information about the steps for creating the MSDP storage with encryption on your system, refer to the Official Documentation.

8.2 Enable Encryption on Client

Perform the following steps to enable encryption for a NetBackup client:

1. In the NetBackup console , navigate to Host Properties → Clients.

2. Open the required client created in the previous section.

3. On the Client Properties window, click the Encryption menu item from the right navigation bar, and do the following:

   1. Encryption permissions: Select the Allowed radio button.

   2. Enable Encryption: Select the check box to enable the encryption.

   3. Client Cipher: Select the required client cipher from the drop down menu. For example, AES-256-CFB.

   4. Click the Apply button to update the changes.

   5. Click the OK button to close the window.

      

8.3 Create Backup Policy

Create a backup policy using the MSDP storage created in the previous section.

For detailed information, refer to the Creating a Backup Policy documentation.

8.4 Take Backup

Perform the following steps to take a backup:

1. In the NetBackup Administration console , expand NetBackup Management → Policies from the left pane.

2. Right-click on the policy created in the previous section and select the Run Manual Backup option to start the backup process.

8.5 Verify Key Retrieval

Go to the detailed view of the Fortanix DSM app created in Section 6.0: Create a New Veritas Instance to ensure the keys are retrieved correctly during the backup process.

To prevent file recovery in case of key compromise, disable the key in the Fortanix DSM UI and restart NetBackup services to view access failures.