V11 Service Pack 11
Loading...

Configuring Data Encryption on a Storage Policy Copy

You can enable encryption on a storage policy copy to encrypt data during data protection operations. Data encryption on a storage policy copy is useful in the following cases:

  • You are sending media to an off-site location, and you want to ensure that the data on media is not readable if the media is lost or stolen.
  • You are performing a backup to a disk library, and you want to copy the backup data to a tape in encrypted form. However, you do not want to consume the time and resources required to encrypt the data during the backup.
  • You are protecting data from multiple organizations, and you want to ensure one organization cannot read the data from another.

To encrypt data on a client according to the settings in the storage policy copy, enable the Use Storage Policy Settings option from the Advanced Client Properties dialog box. For more information, see Configuring Data Encryption on a Client.

Note: When encryption is enabled on a storage policy copy, data can be encrypted before writing it to the media and keys are stored in the CommServe database. If the media is misplaced, recovery of the data without the CommServe is impossible.

Data Encryption during Copy Creation

By default, data encryption is not enabled on the primary copy. But, you can enable data encryption on a primary copy as follows:

  • Select the Software Encryption (Type: BlowFish, Key Length:128) option while creating the storage policy.

    For more information, see Storage Policy - Getting Started.

  • If you enable encryption on new storage policy copies, software encryption (using Blowfish with Key Length 128) is enabled in the storage policy copies, even if the encryption setting is not selected explicitly while creating a new storage policy.

    For more information, see Enabling Data Encryption on New Storage Policy Copies.

  • You can modify the default encryption settings after the storage policy copy creation.

Data Encryption for a Primary Copy Dependent on a Global Deduplication Policy

If data encryption is enabled on a global deduplication policy, the primary copy encrypts the data with the cipher selected on the global deduplication policy. The primary copy also uses the same third-party key management server, if configured for the global deduplication policy.

Note:

  • You can not override the encryption settings inherited from the global deduplication policy. However, you can override the settings only if the CommServe is upgraded from a previous version or the global deduplication policy was created on previous service pack. After you choose not to override the settings, you cannot enable the Override the Encryption setting for this copy option.
  • If data encryption is not enabled on the global deduplication policy, the backups will honor the client encryption settings.

Data Encryption for a Secondary Copy

The data encryption on secondary copy depends on the setting to enable the data encryption on new storage policy copies. For more information, see Enabling Data Encryption on New Storage Policy Copies.

The following table presents the encryption settings and the resultant behavior:

Data Encryption Enabled On New Storage Policy Copies

Behavior

On

Re-encrypts the data with the cipher selected on the storage policy copy.

Off

Data is not encrypted. However, if clients have encrypted data, then the encryption is preserved

Data Encryption for a Secondary Copy Dependent on a Global Secondary Copy Policy

If data encryption is enabled on a global secondary copy policy, the dependent secondary copy re-encrypts the data with the cipher selected on the global secondary copy policy. However, you can override the encryption settings of the global secondary copy policy and configure different settings.

If data encryption is not enabled on the global secondary copy policy, the backups are copied using the encryption settings of the source copy.

Data Encryption for a Copy Dependent on a Global Deduplication Policy

If data encryption is enabled on a global deduplication policy, the dependent copy re-encrypts the data with the cipher selected on the global deduplication policy. The dependent copy also uses the same third-party key management server, if configured for the global deduplication policy.

Note:

  • You can not override the encryption settings inherited from the global deduplication policy. However, you can override the settings only if the CommServe is upgraded from a previous version or the global deduplication policy was created on previous service pack. After you choose not to override the settings, you cannot enable the Override the Encryption setting for this copy option.
  • If data encryption is not enabled on the global deduplication policy, the backups are copied using the encryption settings of the source copy.

Last modified: 1/19/2018 7:05:15 AM