Configuring Software Encryption on a Storage Policy

You can configure encryption on a storage policy to encrypt data during data protection operations.

Note: When you enable encryption on a storage policy, the software encrypts the data before writing it to the media and stores the keys in the CommServe database. If the media is misplaced, recovery of the data without the CommServe database is impossible.

The following table describes how you can configure encryption for a storage policy.

Copy Type	Options to Configure Encryption	Considerations
Primary copy of a storage policy, a global deduplication storage policy or a global secondary copy policy	You can enable encryption for a storage policy copy by default. For instructions, see Configuring Global Level Software Encryption Settings. You can configure encryption during or after creation of a storage policy. For instructions, see Configuring Software Encryption on a Primary Copy.
Primary copy of a storage policy associated with a global deduplication storage policy	Review the following: Encryption enabled on global deduplication policy: The copy inherits the encryption settings of the global deduplication policy and you cannot override the settings. Encryption not enabled on global deduplication policy:The backups are copied using the encryption settings of the client. For instructions, see Configuring Software Encryption on a Primary Copy.	You can override the settings only if the CommServe is upgraded from a previous version or the global deduplication policy was created on previous service pack. After you choose not to override the settings, you cannot again override the settings.
Secondary copy	You can use any of the following options to configure encryption on a secondary copy: Preserve encryption mode as in source: This is the default option. Select this option to copy the encrypted or unencrypted backup data on the source copy as is to the secondary storage. Re-encrypt data using selected cipher: Select this option to encrypt the data with a new cipher that is different from the cipher that was used to encrypt the data. Store plain text: Select this option to copy the data as plain text to the secondary storage. Encrypt on network using selected cipher: Select this option to encrypt the data with a new cipher during transmission, and then store the data as plain text on the secondary storage. For instructions, see Configuring Software Encryption on a Secondary Copy.	You cannot select the Preserve encryption mode as in source option for a non-deduplicated copy that contains partially copied jobs. If you selected the Encrypt on network using selected cipher option for a secondary copy, promoted the copy as primary copy and later made it as a secondary copy again, then the option is disabled for the copy.
Secondary copy of a storage policy associated with a global deduplication policy	Review the following: Encryption enabled on global deduplication policy: The copy inherits the encryption settings of the global deduplication policy and you cannot override the settings. The Re-encrypt data using selected cipher option is selected by default. The Cipher, Key Length and encryption keys store option (Via Media Password or No Access) configured on the global deduplication policy are selected by default. Encryption not enabled on global deduplication policy:The backups are copied using the encryption settings of the client. The Preserve encryption mode as in source option is selected by default. For instructions, see Configuring Software Encryption on a Secondary Copy.	You can override the settings only if the CommServe is upgraded from a previous version or the global deduplication policy was created on previous service pack. After you choose not to override the settings, you cannot again override the settings. You cannot select Store plain text option.
Secondary copy of a storage policy associated with a global secondary copy policy	Review the following: Encryption enabled on global secondary copy policy: The copy inherits the encryption settings of the global deduplication policy and you cannot override the settings. The Re-encrypt data using selected cipher option is selected by default. The Cipher, Key Length and encryption keys store option (Via Media Password or No Access) configured on the global secondary copy policy are selected by default. Encryption not enabled on global secondary copy policy:The backups are copied using the encryption settings of the client. The Preserve encryption mode as in source option is selected by default. For instructions, see Configuring Software Encryption on a Secondary Copy.