Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Deduplication Guide
  3. Using the NetBackup Deduplication Shell
  4. Encrypting backups from the deduplication shell
NetBackup™ Deduplication Guide

Encrypting backups from the deduplication shell

To encrypt backups on a WORM or an MSDP storage server, you can configure MSDP encryption with or without the Key Management Service (KMS).

Use the following procedures to configure encryption for your backups from the deduplication shell.

To configure MSDP encryption with KMS

  1. Open an SSH session to the server as the msdpadm user, or for NetBackup Flex Scale, as an appliance administrator.
  2. Run the following command:

    setting encryption enable-kms kms_server=<server> key_group=<key group>

    Where <server> is the host name of the external KMS server and <key group> is the KMS server key group name.

  3. To verify the KMS encryption status, run the setting encryption kms-status command.

To configure MSDP encryption without KMS

  1. Open an SSH session to the server as the msdpadm user, or for NetBackup Flex Scale, as an appliance administrator.
  2. Run the following command:

    setting encryption enable

  3. To verify the MSDP encryption status, run the setting encryption status command.
Converting legacy KMS to Key Encryption Key (KEK)

The convert-legacy-kms command migrates the legacy index-based KMS to KEK-based KMS. This migration unencrypts the SO records using the legacy KMS key and then re-encrypts the SO record using the active KEK.

To rotate keys for KEK encryption:

  • Use the rotate-kektag command to create a new KEK and rotate SO records to the new KEK using the new three-tiered KMS system. In this system, KMS keys now encrypt KEKs which in turn encrypt SOs.

  • The rotate-kms-keys command rotates the KMS keys under the new KMS system. KEKs, which are stored in the KMS proxy database, are unencrypted using the corresponding KMS key and then re-encrypted using the active KMS key.

Feedback

Was this page helpful?
Previous

Managing post-quantum cryptography (PQC) mode from the deduplication shell

Next

Tuning the MSDP configuration from the deduplication shell

Feedback

Was this page helpful?