Commvault

Encryption Overview

Owned by Carl Brault (Unlicensed)
Last updated: Nov 30, 2021 by tdopko@commvault.com (Unlicensed)
3 min read

Quick Links to Topics:


Encryption Overview

Encrypting data is an essential part of data protection, especially when data is entrusted to a third party for storage. Equal consideration must be paid to backup and archive data. If an unencrypted tape is stolen with sensitive information on it, there is no way to prevent someone from accessing that data. Simple security measures such as password protection may only delay access to the data. Preventing intrusion into your production environment requires a front-line defense that is costly and time consuming.
Commvault® software offers three methods to encrypt data:

  • Inline encryption – is an option that secures data during the data protection job. Inline encryption is performed on the client or MediaAgent or is used for network transmission.
  • Offline encryption – is an option that secures data during auxiliary copy jobs. Offline encryption is performed on the source MediaAgent.
  • Hardware encryption – encrypts data when writing to tape drives that support hardware encryption. Hardware encryption is supported on LTO 4, 5, 6 and 7 tape drives which support and are licensed for encryption by the vendor.

Commvault® software is certified for the US DoD/Canadian DND FIPS encryption accreditation for information security.

The following table describes the options, advantages and disadvantages of each method:

Type

Where Encryption is Performed

How it is Enabled / Disabled

Advantages

Disadvantages

In-Line

Client or MediaAgent

Enabled on the client and configured on the subclient.

Allows encryption of data during primary movement and storage. Can slow primary data protection job.

Consumes CPU & memory of client or MediaAgent.

Off-line

MediaAgent

Configured in the storage policy secondary copy.

Allows encryption of data during secondary movement and storage. Does not slow primary data protection job.

Consumes CPU & memory of MediaAgent.

Hardware

LTO4, 5, 6 or 7 drive with encryption support

Turned on/off at storage policy copy.

Enables faster encryption for tape media with minimal CPU or Memory consumption on client or MediaAgent.

Requires dedicated hardware for backups and restores. Decryption takes place on the drive potentially exposing data during transmission.





Encryption Key Generation and Management

Both software and hardware encryption keys are scrambled using a proprietary algorithm and maintained in the CommServe® database. Encryption keys can optionally be written to storage media. In the event of the loss of the CommServe database, encrypted data may be recovered using tools provided by Commvault® Support. Encryption keys are destroyed when the job is aged and deleted from the CommServe database. This provides complete end-to-end encryption key management.

Third Party Key Management

Commvault® software also supports third party key management.
Currently, Commvault supports Safenet, IBM Security Key Lifecycle Manager, Stormagic, Vormetric, Amazon Web Services, and Microsoft Azure Key Vault third party systems.
Data is encrypted using Commvault® encryption keys, which are stored in the CommServe® database. These keys are encrypted using a third-party master key. The third-party system and the keys are required for any restore operations.

Conceptual overview of Commvault encryption options





Copyright © 2021 Commvault | All Rights Reserved.