Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Deduplication Guide
  3. Appendix C. Encryption Crawler
  4. Updating the KMS configuration
  5. Converting the legacy KMS to KEK-based KMS
NetBackup™ Deduplication Guide

Converting the legacy KMS to KEK-based KMS

NetBackup 10.2 and earlier version use index-based KMS. Data containers written with the legacy index-based KMS can be converted to the current KEK-based KMS using the encryption crawler. This process may run concurrently with the normal NetBackup operations such as backups and restores. Best practice is to perform KMS conversion during a maintenance window. Conversion may take a very long time to complete since it depends on the amount of data that needs to be converted.

To convert the legacy KMS to KEK-based KMS

  1. Reset the encryption crawler if it was used previously.

    /usr/openv/pdde/pdcr/bin/crcontrol --encconvertreset

  2. Run the following command to start the conversion process in MSDP.

    /usr/openv/pdde/pdcr/bin/crcontrol --legacykmsconverton

  3. Monitor the conversion progress.

    /usr/openv/pdde/pdcr/bin/crcontrol --encconvertstate 2

Feedback

Was this page helpful?
Previous

Updating the KMS configuration

Next

Performing the KMS key rotation

Feedback

Was this page helpful?