Commvault

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Quick Links to Topics:


There are several advantages for software encryption:

  • Data can be encrypted on the client during initial data protection providing complete end-to-end security.
  • Different encryption ciphers are used based on security requirements.
  • In certain cases, software encryption can provide a performance benefit by distributing the load of data encryption to multiple systems as opposed to hardware encryption, where all data encryption is handled on the tape drive.
  • Data can selectively be encrypted using inline encryption by configuring encryption settings at the subclient level. This can further improve performance by only encrypting data that requires encryption.
  • Restore operations always decrypt data at the destination location.


Commvault software supports the following encryption algorithms

Cipher

Key Length

3-DES
Triple Data Encryption algorithm symmetric-key block cipher. Applies cipher algorithm three times to each block.

192

AES (Rijndael)
Advanced Encryption Standard (AES) is a symmetric block cipher which encrypts data in 128-bit blocks and uses a key length from 128 to 256 bits.

128 or 256

Blowfish
Symmetric cipher, which divides data into 64 bits and encrypts the blocks individually. This algorithm is available in the public domain and is fast and it is claimed to never have been compromised.

128 or 256

Serpent
Serpent is a symmetric cipher, which encrypts data in 128-bit blocks and uses a key size between 128 to 256 bits. This algorithm is in the public domain.

128 or 256

TwoFish
The successor to Blowfish, this symmetric encryption method uses keys up to 256 bits. This algorithm is fast and, like Blowfish, is available in the public domain.

128 or 256

GOST
Developed by Soviet and Russian government. A symmetric cipher in 64-bit blocks using a key length of 256 bits.

256

AES (Rijndael) encryption is the industry standard used by hardware devices and most encryption software. The other ciphers were AES candidates and meet all requirements. Some are faster and some are stronger. Rijndael was selected as the most flexible.





Inline Encryption

Right-click the storage policy primary copy | Click Properties | Advanced tab


Inline encryption is used to encrypt data during primary protection operations. The encryption can take place on the client or the MediaAgent. Encryption is enabled for Commvault® software through the storage policy primary copy or at the client level. Encryption can further be configured at the subclient level. Subclient level encryption provides the flexibility of defining only that data which requires encryption. By default, when encryption is enabled on a client, encryption is enabled on all subclients.

Inline encryption best practices:

  • Only encrypt the data that has such requirement.
  • Isolate encrypted data in a different storage policy than unencrypted data.
  • To achieve these goals, turn off encryption on the default subclient and create a dedicated subclient with the folders or files requiring encryption defined as content.
  • Turn on encryption on that subclient only and associate it with the dedicated storage policy.

A storage policy primary copy is used to enable encryption on all subclients associated with the storage policy. Ensure the clients encryption settings are configured to 'Use Storage Policy Settings.'


Copy Encryption Enhancements - Demo

Copy-Based Encryption - Demo

Enabling encryption on all subclients associated with a specific storage policy


Inline encryption is configured on the client in two areas:

  1. Client Advanced properties enables encryption and provides choice of cipher, key length, and option to write a copy of the keys on media.
  2. Subclient properties provides options to encrypt on client, on MediaAgent, encrypt on client and decrypt on MediaAgent (encrypt for transmission only), or disable encryption.




Enable Encryption for a Client

Right-click the desired client | Click Properties | Encryption tab

When encryption is enabled on a client, the cipher and key length must be set. The default cipher used is blowfish 128 bit. The 'Direct Media Access' setting determines whether encryption keys are stored on the media. The 'Via Media Password' option puts the keys on the media. The 'No Access' option only stores the keys in the CommServe® database. If the keys are stored on the media, data can be recovered using Commvault® software's 'catalog' feature, or in the case of Disaster Recovery data, the Media Explorer tool. Encryption keys are always stored in the CommServe database.

DR Data recovery using Media Explorer requires the user to provide the Media Password used when the data was written. The default Media Password is blank. If the Media Password is not known, contact Commvault Support to assist in recovering the password.


Inline Encryption - Demo

Client encryption configuration


Subclient Encryption Settings

Right-click the desired subclient | Click Advanced | Encryption tab

When encryption is enabled for a client, the default subclient encryption setting 'Client and MediaAgent' encrypts all data on the client and the data remains encrypted when written to storage.



Subclient encryption configuration



Offline Encryption


The 'Offline' or 'Copy-based' encryption uses Commvault® software encryption to secure data during auxiliary copy jobs. From the Data Encryption section in the storage policy copy's Advanced tab, the 'encryption cipher,' 'key lengths,' and the option to 'store keys on the media' are configured.

In some cases, encrypted source data will be decrypted first then re-encrypted when storing deduplicated data or changing encryption ciphers. By default, encrypted data is preserved during an auxiliary copy operation. The 'Store Plain Text' option is selected to decrypt data during the auxiliary copy job. If 'Store Plain Text' option is selected, you can still encrypt data during data transmission by selecting the option 'Encrypt on network using selected cipher.'

 

Secondary Copy Encryption - Demo

Copy based encryption for a secondary copy


  • No labels

Copyright © 2021 Commvault | All Rights Reserved.