It is sometimes necessary for customers to create copies of some or all of their encryption keys for use in a different NetBackup domain. The KMS database only needs to be active unquiesced when changes are being made to the key database, such as adding or deleting key groups and keys. However, because this document covers best practices, to quiesce and unquiesce the KMS database is recommended.
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published.
Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.
Support Knowledge base Article: Last Published: Ratings: 8 2. Product s : NetBackup. Problem It is sometimes necessary for customers to create copies of some or all of their encryption keys for use in a different NetBackup domain. For encrypting backups, a customer must configure identical names for both a tape volume pool and a KMS key group, and both must have an ENCR prefix.
When doing restore operations, the volume pool is not taken into account. What this means is that when providing KMS files and encrypted tapes to a remote site, if only restores are to be performed, the name of the volume pool into which the tapes are added is immaterial. If backups are to be performed using those keys, the volume pool name must match the key group name.
The customer can choose to modify the key group name using the nbkmsutil —modifykg command to match the volume pool name at the remote site.
The only requirement is that both names must be identical and have an ENCR prefix. The state of any keys e. When KMS files and tapes are provided to a remote site, either the NetBackup catalog must be provided to the remote master server or the tapes must be imported.
A phase one import of the tapes will show which images are on the tape and can be performed without the encryption keys being available because the metadata read from the tapes on the phase one import is not encrypted. A phase two import, which generates the. Use the nbkmsutil —quiescedb command to quiesce the KMS database. Use the nbkmsutil —unquiescedb command to unquiesce the KMS database.
Provide the copy of the KMS files made in Step 2 to the remote site. Install the KMS files in the appropriate directories on the master server at the remote site. Note: In order to delete keys, which you will do in Step 4, keys must be in a prelive or terminated state to be deleted, so it will be necessary to use the nbkmsutil -modifykey command to change the state of active or inactive keys.
Use the nbkmsutil —deletekey to delete unwanted keys those of other customers from the KMS database. Use the nbkmsutil —deletekg command to delete unwanted key groups from the KMS database key groups must be empty of keys in order to be deleted.
Provide the copy of the KMS files made in step 6 to the remote site. Note: In order to delete keys, which you will do in Step 5, keys must be in a prelive or terminated state to be deleted, so it will be necessary to use the nbkmsutil -modifykey command to change the state of active or inactive keys. Use the nbkmsutil —listkeys command to obtain a list of keys you will need to delete.
Provide the copy of the KMS files made in Step 9 to the 3 rd party and tell them to install the files in the appropriate directories on their master server. If it was generated using a random number, it is not possible to add an existing key to another KMS database. Use the nbkmsutil —listkeys command to obtain the key name, key group name and key tag for each key s you want to add to the remote site. Provide the remote site with the key name, key group name, key tag and pass phrase for each encryption key.
Use the nbkmsutil —recoverkey command at the remote site to create each key in the KMS database at the remote site. Recovered keys are set to an inactive state can be used for restores, but not backupsso you will need to use the nbkmsutil —modifykey command to change the state to active if you want to use the key for backups.If you've got a moment, please tell us what we did right so we can do more of it.
Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better.
After you create a symmetric customer master key CMK with no key materialyou download a public key and an import token for that CMK. You need these items to import your key material. You also download these items when you want to reimport key material into a CMK.
You might do this to manually rotate the key materialto change the expiration time for the key material, or to restore a CMK after the key material has expired or been deleted. You must first encrypt the key material with the public key that you download in this step and then upload the encrypted key material to AWS KMS. The import token contains metadata to ensure that your key material is imported correctly.
When you upload your encrypted key material to AWS KMS, you must upload the same import token that you download in this step. To protect your key material during import, you encrypt it using a wrapping key and wrapping algorithm. Typically, you choose an algorithm that is supported by the hardware security module HSM or key management system that protects your key material. These choices are listed in order of AWS preference. The technical details of the schemes represented by these choices are explained in section 7 of the PKCS 1 Version 2.
For information about how to encrypt your key material, see the documentation for the hardware security module or key management system that protects your key material. The public key and import token are valid for 24 hours. If you don't use them to import key material within 24 hours of downloading them, you must download new ones. This indicates that the CMK was created with no key material.
To add the Origin column to your table, in the upper-right corner of the page, choose the settings icon.You define permissions that control the use of your keys to access encrypted data across a wide range of AWS services and in your own applications.
Avoid the need to build secure systems and to manage complex processes to protect your keys. Expand your use of encryption to protect your data. AWS KMS is integrated with AWS services to provide a control point to define and enforce access controls consistently across compute instances, databases, storage environments and tools such as data analytics and machine learning.
Avoid risk and complexity as you build encryption into your own systems. AWS manages the security controls required to protect your keys from unauthorized physical access. You manage the access policies and lifecycle of keys to protect them from unauthorized logical access. Your keys are protected by government-approved hardware security modules HSMs. Once created, your master keys can only be used inside the government-approved HSMs.
There are no mechanisms for anyone, including service operators, to export or view your keys.
AWS Key Management Service
You can track and verify all attempts to use or manage your keys including encrypt and decrypt operations and changes that modify permissions. Logging API requests helps you manage risk, meet compliance requirements, and conduct forensic analysis. You are only charged when you use or manage your keys and you only pay to store keys that you create. Benefits Fully managed Avoid the need to build secure systems and to manage complex processes to protect your keys. Simplify encryption across AWS Expand your use of encryption to protect your data.
Easily deploy encryption yourself Avoid risk and complexity as you build encryption into your own systems. Confidence that your keys are secure AWS manages the security controls required to protect your keys from unauthorized physical access. Check out the product features. Sign up for a free account. Start building in the console.If you've got a moment, please tell us what we did right so we can do more of it.
Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better. A customer master key CMK is a logical representation of a master key.
The CMK also contains the key material used to encrypt and decrypt data. A symmetric CMK represents a bit key that is used for encryption and decryption. An asymmetric CMK represents an RSA key pair that is used for encryption and decryption or signing and verification but not bothor an elliptic curve ECC key pair that is used for signing and verification.
For detailed information about symmetric and asymmetric CMKs, see Using symmetric and asymmetric keys. This strategy differs from data keys. You cannot extract, export, view, or manage this key material. Also, you cannot delete this key material; you must delete the CMK. For information about creating and managing CMKs, see Getting started.
For detailed information about the encryption options that an AWS service offers, see the Encryption at Rest topic in the user guide or the developer guide for the service.
You have full control over these CMKs, including establishing and maintaining their key policies, IAM policies, and grantsenabling and disabling them, rotating their cryptographic materialadding tagscreating aliases that refer to the CMK, and scheduling the CMKs for deletion.
Customer managed CMKs incur a monthly fee and a fee for use in excess of the free tier. However, you cannot manage these CMKs, rotate them, or change their key policies. And, you cannot use AWS managed CMKs in cryptographic operations directly; the service that creates them uses them on your behalf. They can be subject to fees for use in excess of the free tier, but some AWS services cover these costs for you. For details, see the Encryption at Rest topic in the user guide or developer guide for the service.
But when they are used on behalf of a principal in your account, these CMKs count against request quotas. However, you cannot view, use, track, or audit them. Data keys are encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys. To create a data key, call the GenerateDataKey operation. The operation returns a plaintext copy of the data key and a copy of the data key encrypted under the CMK. The following image shows this operation. After using the plaintext data key to encrypt data, remove it from memory as soon as possible.
Auto-unseal using AWS KMS
You can safely store the encrypted data key with the encrypted data so it is available to decrypt the data. To decrypt your data, pass the encrypted data key to the Decrypt operation.
Use the plaintext data key to decrypt your data and then remove the plaintext data key from memory as soon as possible. The following diagram shows how to use the Decrypt operation to decrypt an encrypted data key. Data key pairs are asymmetric data keys that consist of a mathematically-related public key and private key.
They are designed to be used for client-side encryption and decryption or signing and verification outside of AWS KMS. However, AWS KMS does not store, manage, or track your data key pairs, or perform cryptographic operations with data key pairs.You can verify the AWS managed keys in your account and all usage is logged in AWS CloudTrail, but you have no direct control over the keys themselves.
You are not billed for any of these keys that exist in your account. Q: Do your prices include taxes? Except as otherwise noted, our prices are exclusive of applicable taxes, including applicable sales tax. AWS KMS provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across AWS services.
If you want full control over the management of your keys, including the ability to share access across accounts or services, you can create your own master keys in KMS. You can also use the master keys that you create in KMS directly within your own applications.
Visit the Getting Started page to learn more. These are known as customer master keys or, CMKs. These master keys are generated and protected by government-approved hardware security modules HSMs and are only ever used in plaintext within those modules.
You can submit data directly to KMS to be encrypted or decrypted using these master keys. You set usage policies on these keys that determine which users can use them to encrypt and decrypt data under which conditions. Under this method, KMS generates data keys which are used to encrypt data and are themselves encrypted using your master keys in KMS.
Data keys are not retained or managed by KMS. AWS services encrypt your data and store an encrypted copy of the data key along with the data it protects. When you ask an AWS service to decrypt your data, it requests KMS on your behalf to first decrypt the data key using the correct master key.
If the user requesting data from the AWS service is authorized to decrypt under your master key policy, the service will receive the decrypted data key from KMS with which it can decrypt your data. All requests to use your master keys are logged in AWS CloudTrail so you can understand who used which master key under which conditions.
In this case data is encrypted using data keys that are protected by your master keys in KMS. In some cases data is encrypted by default using keys that are stored in KMS but owned and managed by the AWS service. In other cases the master keys are owned and managed by you within your account. Some services give you the choice of managing the keys yourself or allowing the service to manage the keys on your behalf.
Q: Why use envelope encryption? Envelope encryption reduces the network load since only the request and delivery of the much smaller data key goes over the network. The data key is used locally in your application or encrypting AWS service, avoiding the need to send the entire block of data to KMS and suffer network latency. You have the option of specifying a specific customer master key CMK to use when you want an AWS service to encrypt data on your behalf.
These are known as customer managed CMKs and you have full control over them.If you've got a moment, please tell us what we did right so we can do more of it. Thanks for letting us know this page needs work.
We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better. Createand view symmetric and asymmetric CMKsand edit their properties. Create and view access control policies and grants for your CMKs. Enable and disable automatic rotation of the cryptographic material in a CMK. Tag your CMKs for easier identification, categorizing, and tracking use and costs. Create, delete, list, and update aliaseswhich are friendly names for your CMKs.
How Secure is Amazon’s Key Management Service (AWS KMS)?
You can also perform the following cryptographic operations with your CMKs. By using CloudTrail you can monitor and investigate how and when your master keys have been used and by whom. AWS Key Management Service is backed by a service level agreement that defines our service availability policy.
Document Conventions.Please visit this FAQ link for content relevant to these two China regions. AWS KMS is a managed service that enables you to easily create and control the keys used for cryptographic operations. The service provides a highly available key generation, storage, management, and auditing solution for you to encrypt or digitally sign data within your own applications or control the encryption of data across AWS services.
If you are responsible for securing your data across AWS services, you should use it to centrally manage the encryption keys that control access to your data. The easiest way is to get started using the service is to choose to encrypt your data within supported AWS services using AWS managed master keys that are automatically created in your account for each service. If you want full control over the management of your keys, including the ability to share access to keys across accounts or services, you can create your own customer master keys CMKs in AWS KMS.
You can also use the CMKs that you create directly within your own applications. Visit the Getting Started page to learn more.
Availability is listed on our global Products and Services by Region page. You can perform the following key management functions:.Encryption and Key Management in AWS
In this case data is encrypted using data keys that are protected by your CMKs. Q: Why use envelope encryption? Envelope encryption reduces the network load since only the request and delivery of the much smaller data key go over the network.
These are known as customer managed CMKs and you have full control over them. You define the access control and usage policy for each key and you can grant permissions to other accounts and services to use them. Q: Why should I create my own customer master keys? You can define an alias and description for the key and opt-in to have the key automatically rotated once per year if it was generated by AWS KMS. You also define all the permissions on the key to control who can use or manage the key.
You can import a copy of your key from your own key management infrastructure to AWS KMS and use it with any integrated AWS service or from within your own applications. Q: When would I use an imported key? You can use an imported key to get greater control over the creation, lifecycle management, and durability of your key in AWS KMS.
Imported keys are designed to help you meet your compliance requirements which may include the ability to generate or maintain a secure copy of the key in your infrastructure, and the ability to immediately delete the imported copy of the key from AWS infrastructure.
There are two main differences:. Q: Can I rotate my keys? AWS KMS automatically keeps previous versions of keys to use for decryption of data encrypted under an old version of a key.
If you manually rotate your imported or custom key store keys, you may have to re-encrypt your data depending on whether you decide to keep old versions of keys available. You can schedule a customer master key and associated metadata that you created in AWS KMS for deletion, with a configurable waiting period from 7 to 30 days. This waiting period allows you to verify the impact of deleting a key on your applications and users that depend on it.
The default waiting period is 30 days. You can cancel key deletion during the waiting period.