- Created by Carl Brault on Dec 03, 2019
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
Version 1 Next »
Quick Links to Topics:
There are several advantages for software encryption:
- Data can be encrypted on the client during initial data protection providing complete end-to-end security.
- Different encryption ciphers are used based on security requirements.
- In certain cases, software encryption can provide a performance benefit by distributing the load of data encryption to multiple systems as opposed to hardware encryption, where all data encryption is handled on the tape drive.
- Data can selectively be encrypted using inline encryption by configuring encryption settings at the subclient level. This can further improve performance by only encrypting data that requires encryption.
- Restore operations always decrypt data at the destination location.
Commvault software supports the following encryption algorithms
Cipher | Key Length |
3-DES | 192 |
AES (Rijndael) | 128 or 256 |
Blowfish | 128 or 256 |
Serpent | 128 or 256 |
TwoFish | 128 or 256 |
GOST | 256 |
AES (Rijndael) encryption is the industry standard used by hardware devices and most encryption software. The other ciphers were AES candidates and meet all requirements. Some are faster and some are stronger. Rijndael was selected as the most flexible.
Inline Encryption
Right-click the storage policy primary copy | Click Properties | Advanced tab
Inline encryption is used to encrypt data during primary protection operations. The encryption can take place on the client or the MediaAgent. Encryption is enabled for Commvault® software through the storage policy primary copy or at the client level. Encryption can further be configured at the subclient level. Subclient level encryption provides the flexibility of defining only that data which requires encryption. By default, when encryption is enabled on a client, encryption is enabled on all subclients.
Inline encryption best practices:
- Only encrypt the data that has such requirement.
- Isolate encrypted data in a different storage policy than unencrypted data.
- To achieve these goals, turn off encryption on the default subclient and create a dedicated subclient with the folders or files requiring encryption defined as content.
- Turn on encryption on that subclient only and associate it with the dedicated storage policy.
A storage policy primary copy is used to enable encryption on all subclients associated with the storage policy. Ensure the clients encryption settings are configured to 'Use Storage Policy Settings.'
Copy Encryption Enhancements - Demo
Copy-Based Encryption - Demo
Enabling encryption on all subclients associated with a specific storage policy
Inline encryption is configured on the client in two areas:
- Client Advanced properties enables encryption and provides choice of cipher, key length, and option to write a copy of the keys on media.
- Subclient properties provides options to encrypt on client, on MediaAgent, encrypt on client and decrypt on MediaAgent (encrypt for transmission only), or disable encryption.
Enable Encryption for a Client
Right-click the desired client | Click Properties | Encryption tab
When encryption is enabled on a client, the cipher and key length must be set. The default cipher used is blowfish 128 bit. The 'Direct Media Access' setting determines whether encryption keys are stored on the media. The 'Via Media Password' option puts the keys on the media. The 'No Access' option only stores the keys in the CommServe® database. If the keys are stored on the media, data can be recovered using Commvault® software's 'catalog' feature, or in the case of Disaster Recovery data, the Media Explorer tool. Encryption keys are always stored in the CommServe database.
DR Data recovery using Media Explorer requires the user to provide the Media Password used when the data was written. The default Media Password is blank. If the Media Password is not known, contact Commvault Support to assist in recovering the password.
Inline Encryption - Demo
Client encryption configuration
Subclient Encryption Settings
Right-click the desired subclient | Click Advanced | Encryption tab
When encryption is enabled for a client, the default subclient encryption setting 'Client and MediaAgent' encrypts all data on the client and the data remains encrypted when written to storage.
Subclient encryption configuration
Offline Encryption
The 'Offline' or 'Copy-based' encryption uses Commvault® software encryption to secure data during auxiliary copy jobs. From the Data Encryption section in the storage policy copy's Advanced tab, the 'encryption cipher,' 'key lengths,' and the option to 'store keys on the media' are configured.
In some cases, encrypted source data will be decrypted first then re-encrypted when storing deduplicated data or changing encryption ciphers. By default, encrypted data is preserved during an auxiliary copy operation. The 'Store Plain Text' option is selected to decrypt data during the auxiliary copy job. If 'Store Plain Text' option is selected, you can still encrypt data during data transmission by selecting the option 'Encrypt on network using selected cipher.'
Secondary Copy Encryption - Demo
Copy based encryption for a secondary copy
- No labels