Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Security and Encryption Guide
  3. Section II. Encryption of data-in-transit
  4. NetBackup CA and NetBackup certificates
  5. About host ID-based certificates
  6. Managing passphrases and passphrase keys for encryption of private key of host ID-based certificates
NetBackup™ Security and Encryption Guide

Managing passphrases and passphrase keys for encryption of private key of host ID-based certificates

Randomly-generated passphrases are used to encrypt and decrypt the private keys of NetBackup host ID-based certificates. Passphrase keys are used to encrypt and decrypt these passphrases. There is one passphrase - passphrase key pair that is used to encrypt and decrypt all the private keys in a keystore. The passphrase that is used to encrypt the private keys is itself encrypted using another passphrase key. The passphrase - passphrase key pair is generated when the first key in the keystore is created and stored.

Using a passphrase key to encrypt passphrases adds an additional layer of security as only those users who have access to the passphrase key can decrypt and access the encrypted passphrases. A passphrase key protects a passphrase from unauthorized access and enables centralized management of passphrases. With easy rotation of passphrases, organizations can maintain the security in their NetBackup environment.

Passphrase rotation is the process of updating the existing passphrases. The process makes the system more secure by ensuring that the compromised private keys or passphrases are updated. Rotating the passphrase also encrypts the private keys that are currently in plain text.

Rotating passphrases is essential to reduce the risk of unauthorized access by limiting the time an attacker can exploit a compromised passphrase. It helps protect against brute-force attacks and mitigates the impact of insider threats. Additionally, regular passphrase rotation is often a requirement for compliance with various security standards and regulatory frameworks that helps organizations maintain a secure and compliant environment.

Advantages of 2-level encryption

Rotation of a passphrase key: This allows to re-encrypt the passphrase with new passphrase key at regular intervals without hampering the ongoing NetBackup operations.

Rotation of passphrase: If the administrators encounter a security threat, they can rotate the passphrase. This creates a new passphrase - passphrase key pair. Re-encrypt all private keys with the new passphrase. All NetBackup services must be stopped before this operation.

Rotating a passphrase

To rotate a passphrase

  1. Stop the NetBackup services.

    Ensure that all NetBackup services are stopped before you proceed.

  2. Run the following command to rotate passphrase:

    nbcertcmd -rotatePassphrase

    Note:

    The default passphrase length is 64 characters.

    Run the following command to specify the passphrase length:

    nbcertcmd -rotatePassphrase -length 1023

    The length ranges from 32 to 1023.

  3. Start the NetBackup services.
Rotating a passphrase key

To rotate the passphrase key

  • Run the following command:

    nbcertcmd -rotatePassphraseKey

Feedback

Was this page helpful?
Previous

Automatic host ID-based certificate deployment

Next

Deploying host ID-based certificates

Feedback

Was this page helpful?