nbkmsutil

nbkmsutil — run the NetBackup Key Management Service utility

SYNOPSIS

<admin_dir_path>nbkmsutil [-createkey] [-createkg] [-deletekey] [-deletekg] [-gethmkid] [-getkpkid] [-ksstats] [-listkeys] [-listkgs] [-modifyhmk] [-modifykey] [-modifykg] [-modifykpk] [-quiescedb] [-recoverkey] [-unquiescedb]

<admin_dir_path>nbkmsutil -createkey [ -nopphrase ] -kgname key_group_name -keyname key_name [ -activate ] [ -desc description ]

<admin_dir_path>nbkmsutil -createkg -kgname key_group_name [ -cipher type ] [ -desc description ]

<admin_dir_path>nbkmsutil -deletekey -keyname key_name -kgname key_group_name

<admin_dir_path>nbkmsutil -deletekg -kgname key_group_name

<admin_dir_path>nbkmsutil -gethmkid

<admin_dir_path>nbkmsutil -getkpkid

<admin_dir_path>nbkmsutil -ksstats [-noverbose]

<admin_dir_path>nbkmsutil -listkeys key_group_name [ -keyname key_name | -activekey ] [ -verbose ]

<admin_dir_path>nbkmsutil -listkgs [ -kgname key_group_name | -cipher type | -emptykgs | -noactive ] [ -verbose ]

<admin_dir_path>nbkmsutil -modifyhmk [ -nopphrase ]

<admin_dir_path>nbkmsutil -modifykey -keyname key_name -kgname key_group_name [ -state new_state | -activate ] [ -name new_keyname ] [ -desc new_description ]

<admin_dir_path>nbkmsutil -modifykg -kgname key_group_name [ -name new_key_group_name ] [ -desc new_description ]

<admin_dir_path>nbkmsutil -modifykpk [ -nopphrase ]

<admin_dir_path>nbkmsutil -quiescedb

<admin_dir_path>nbkmsutil -recoverkey -keyname key_name -kgnamekey_group_name -tag key_tag [-desc description]

<admin_dir_path>nbkmsutil -unquiescedb

On Windows systems, <admin_dir_path> is <install_path>\NetBackup\bin\admincmd\

DESCRIPTION

The nbkmsutil command performs the following operations:

-createkey	Create a new key. The default state of the new key is Prelive.
-createkg	Create a new key group. The default cipher of the new key group is AES_256.
-deletekey	Delete a key. Only keys in Prelive and Terminated states can be deleted.
-deletekg	Delete a key group. Only empty key groups can be deleted.
-gethmkid	Return the current HMK ID.
-getkpkid	Returns the current KPK ID.
-ksstats	Returns the keystore statistics. The statistics consist of the number of key groups, the total number of keys, and the outstanding quiesce calls.
-listkeys	Get the details of keys.
-listkgs	Get the details of the key groups. If no option is specified, retrieve the details of all the key groups.
-modifyhmk	Modify the host master key (HMK). HMK is used to encrypt the keystore. To modify the HMK, provide an optional seed (passphrase) and an HMK ID which can remind the user of the specified passphrase. The passphrase and the HMK ID are both read interactively.
-modifykey	Modify key attributes.
-modifykg	Modify key group attributes.
-modifykpk	Modify the key protection key (KPK). KPK is used to encrypt KMS keys. KPK is per keystore. To modify the KPK, provide an optional seed (passphrase) and a KPK ID which can remind the user of the specified passphrase. The passphrase and the KPK ID are both read interactively.
-quiescedb	Sends a quiesce request to KMS. If the command succeeds, the current outstanding quiesce count is returned (as multiple backup jobs might quiesce the KMS DB to back it up)
-recoverkey	Restore could fail if a key used in encrypting the backup data is lost. Such Keys can be recovered (re-created) with the knowledge of the original Key's attributes (tag and passphrase).
-unquiescedb	Sends an unquiesce request to KMS. If the command succeeds, the current outstanding quiesce count is returned. A count of zero (0) means that the KMS database is completely unquiesced.

OPTIONS

The nbkmsutil command uses the following options:

-activate	Sets the state of the specified key to active. The default state is prelive.
-activekey	Retrieves the details of a specific key group's active key.
-cipher	The type of cipher that the key group supports. All keys that belong to a key group support the same cipher type. Supported cipher types are BLOW, AES_128, AES_192, and AES_256 (default cipher).
-emptykgs	Retrieves the details of all the key groups with zero keys in it.
-keyname	key_name specifies the name of a key. This name should be unique within a key group. The key group name and key name uniquely identify a key in the keystore .
-kgname	key_group_name specifies the name of a key group. Within a keystore , a key group is uniquely identified by its name.
-name	Specifies the new name of the key group when used with -modifykg or the new name of the key when used with -modifykey. The new key group name must not conflict with other names in the keystore .
-noactive	Retrieves the details of all the key groups in which there are no active keys.
-nopphrase	Disables the utility function that prompts you for a pass phrase. Instead, the utility creates the key. The default condition is the use of the pass phrase to create a key with a seed. A lengthy seed and a strong seed results in a strong key.
-noverbose	Disables verbosity. The default condition is verbosity, which prints the details in readable format.
-state	new_state specifies the new state of the Key. Possible states are Prelive, Active, Inactive, Deprecated, and Terminated. Key states can be changed only in the following ways: Prelive to Active Transition between Active and Inactive Transition between Inactive and Deprecated Transition between Deprecated and Terminated
-tag	key_tag specifies a random unique identifier that is created for the key record that the utility creates. The listkey option can display this tag. If you need to recover (recreate) the key record, you need to use the original tag value, hence the - tag option for these recovery options.