Commvault

Software Encryption

Owned by Carl Brault (Unlicensed)
Last updated: Nov 30, 2021 by tdopko@commvault.com (Unlicensed)
5 min read

Quick Links to Topics:


There are several advantages for software encryption:

  • Data can be encrypted on the client during initial data protection providing complete end-to-end security.
  • Different encryption ciphers are used based on security requirements.
  • In certain cases, software encryption can provide a performance benefit by distributing the load of data encryption to multiple systems as opposed to hardware encryption, where all data encryption is handled on the tape drive.
  • Data can selectively be encrypted using inline encryption by configuring encryption settings at the subclient level. This can further improve performance by only encrypting data that requires encryption.
  • Restore operations always decrypt data at the destination location.


Commvault software supports the following encryption algorithms

Cipher

Key Length

3-DES
Triple Data Encryption algorithm symmetric-key block cipher. Applies cipher algorithm three times to each block.

192

AES (Rijndael)
Advanced Encryption Standard (AES) is a symmetric block cipher which encrypts data in 128-bit blocks and uses a key length from 128 to 256 bits.

128 or 256

Blowfish
Symmetric cipher, which divides data into 64 bits and encrypts the blocks individually. This algorithm is available in the public domain and is fast and it is claimed to never have been compromised.

128 or 256

Serpent
Serpent is a symmetric cipher, which encrypts data in 128-bit blocks and uses a key size between 128 to 256 bits. This algorithm is in the public domain.

128 or 256

TwoFish
The successor to Blowfish, this symmetric encryption method uses keys up to 256 bits. This algorithm is fast and, like Blowfish, is available in the public domain.

128 or 256

GOST
Developed by Soviet and Russian government. A symmetric cipher in 64-bit blocks using a key length of 256 bits.

256

AES (Rijndael) encryption is the industry standard used by hardware devices and most encryption software. The other ciphers were AES candidates and meet all requirements. Some are faster and some are stronger. Rijndael was selected as the most flexible.





Inline Encryption

Right-click the storage policy primary copy | Click Properties | Advanced tab


Inline encryption is used to encrypt data during primary protection operations. The encryption can take place on the client or the MediaAgent. Encryption is enabled for Commvault® software through the storage policy primary copy or at the client level. Encryption can further be configured at the subclient level. Subclient level encryption provides the flexibility of defining only that data which requires encryption. By default, when encryption is enabled on a client, encryption is enabled on all subclients.

Inline encryption best practices:

  • Only encrypt the data that has such a requirement.
  • Isolate encrypted data in a different storage policy than unencrypted data.
  • To achieve these goals, turn off encryption on the default subclient and create a dedicated subclient with the folders or files requiring encryption defined as content.
  • Turn on encryption on that subclient only and associate it with the dedicated storage policy.

A storage policy primary copy is used to enable encryption on all subclients associated with the storage policy. Ensure the client's encryption settings are configured to 'Use Storage Policy Settings.'



To configure copy-based encryption

1 - Expand the storage policy | Right-click the storage policy Primary copy | Properties.

2 - On a primary copy, enable encryption.

3 - Set cipher, key length and where to store keys.



Enable Encryption for a Client

Right-click the desired client | Click Properties | Encryption tab

When encryption is enabled on a client, the cipher and key length must be set. The default cipher used is blowfish 128 bit. The 'Direct Media Access' setting determines whether encryption keys are stored on the media. The 'Via Media Password' option puts the keys on the media. The 'No Access' option only stores the keys in the CommServe® database. If the keys are stored on the media, data can be recovered using Commvault® software's 'catalog' feature, or in the case of Disaster Recovery data, the Media Explorer tool. Encryption keys are always stored in the CommServe database.

DR Data recovery using Media Explorer requires the user to provide the Media Password used when the data was written. The default Media Password is blank. If the Media Password is not known, contact Commvault Support to assist in recovering the password.

Inline encryption is configured on the client in two areas:

  1. Client Advanced properties enable encryption and provide a choice of cipher, key length, and option to write a copy of the keys on media.
  2. Subclient properties provide options to encrypt on:
    1. The client (Network and Media)
    2. MediaAgent (Media Only)
    3. The client and decrypt on MediaAgent (for transmission only), or
    4. Disable encryption (None)


To configure client encryption

1 - Expand Client Computers | Right-click the client | Properties.

2 - Select the Advanced button to configure client properties.

3 - Enable the use of encryption.

4 - Define the cipher and key length.

5 - Define if the encryption keys should be stored on the media.


Subclient Encryption Settings

Right-click the desired subclient | Click Advanced | Encryption tab

When encryption is enabled for a client, the default subclient encryption setting 'Client and MediaAgent' encrypts all data on the client and the data remains encrypted when written to storage.




To access subclient encryption settings

1 - Expand client | Right-click the subclient | Properties.

2 - Select the Advanced button to configure the subclient properties.

3 - Define where to apply encryption.



Offline Encryption


The 'Offline' or 'Copy-based' encryption uses Commvault® software encryption to secure data during auxiliary copy jobs. From the Data Encryption section in the storage policy copy's Advanced tab, the 'encryption cipher,' 'key lengths,' and the option to 'store keys on the media' are configured.

In some cases, encrypted source data will be decrypted first then re-encrypted when storing deduplicated data or changing encryption ciphers. By default, encrypted data is preserved during an auxiliary copy operation. The 'Store Plain Text' option is selected to decrypt data during the auxiliary copy job. If 'Store Plain Text' option is selected, you can still encrypt data during data transmission by selecting the option 'Encrypt on network using selected cipher.'

 


To configure copy-based encryption

1 - Expand the storage policy | Right-click the storage policy copy | Properties.

2 - In the Advanced tab select Re-encrypt Data option and configure the cipher and media access key.


Copyright © 2021 Commvault | All Rights Reserved.