The Distributed Network Encryption (DNE) Key Manager has its own backup and restore procedure. When you back up or restore the NSX Manager, the DNE Key Manager is not included.

Back Up the DNE Key Manager

To back up the DNE Key Manager, run the following CLI command:

    backup node file <filename> [passphrase <passphrase>]

If you do not provide a passphrase to encrypt the file, you will be prompted for it. As a safeguard, you can copy the backup file to a remote location with the following CLI command:

    copy file <filename> url <url>

Restore the DNE Key Manager

Before restoring, make sure that no DNE Key Manager is attached to the NSX Manager. Make the following API call to get the ID of the current DNE Key Manager:

    GET https://<nsx-mgr>/api/v1/network-encryption/key-managers

If an ID is returned, make the following API call to delete the DNE Key Manager:

    DELETE https://<nsx-mgr>/api/v1/network-encryption/key-managers/<key-manager-id>

Run the following CLI command to perform the restore:

    restore node file <filename> [passphrase <passphrase>]

The passphrase should be the one that was used when the backup command was run. You will be prompted to rotate all key policies and join the newly restored DNE Key Manager to the management plane. For more information, see "Join DNE Key Manager with the Management Plane" in the NSX-T Installation Guide.