Data Encryption - Online Help

Encryption Key Management Servers

Use this dialog box to view, add, or modify the key management servers.

The Key Management Servers list displays following information about each key management server:

Name
Name of the key management server.Type
The type of the key management server.Add
Click to access the Key provider properties dialog box, which enables you to add a new key management server.Edit
Select a key management server from the list, and then click this button to edit the server information.Delete
Select a key management server from the list, and then click this button to delete the server..

Key provider properties

Use this dialog box to add or to modify the key management server.

Enter or modify the following information for an AWS_KMS key management server:

• Key Provider Name: The name of the key provider.

• Region: The region where AWS hosts the Key Management Service.

• Access Key: The AWS Access Key.

• Secret Access Key and Verify Secret Access Key: The AWS Secret Access Key.

Enter or modify the following information for a KMIP key management server:

• Key Provider Name: The name of the key provider.

• Key Length: The key length to use with the AES cipher.

• Server: The IP address or hostname of the third-party key management server. In case of a cluster server, specify the host values of all servers separated with a comma.Note: For CommCell migration, ensure that both the source and the destination CommCells point to the same third-party key management server.

• Port: The port used by the key management server. In case of a cluster server, all servers should use the same port.

• Certificate: The location of the client certificate.

  Example: C:\Certificates\client.crt (for Salefent) and C:\Certificates\client.pem (for Vormetric)

• Certificate Key: The location of the client certificate key.

  Example: C:\Certificates\clientkey (for Safenet) and C:\Certificates\client_private.pem (for Vormetric)

• Pass Phrase and Verify Pass Phrase: The passphrase of the certificate if set.

• CA Certificate: The location of the key management server CA certificate.

  Example: C:\Certificates\Local_CA.crt (for Safenet) and C:\Certificates\1.2.3.4_CA.pem (for Vormetric)

Client Computer Properties (Encryption)

Use this dialog box to select data encryption options for the selected client. These settings will only impact supported agents residing on the client.

Encrypt Data

When selected, enables data encryption options for the selected client.

Data Encryption Algorithm

• Cipher

  Displays the ciphers available for data transfer.

• Key Length

  Displays the key lengths available for the selected cipher. Note that the key length options displayed will vary according to the selected cipher.

Restore Access

This group of settings specifies CommServe encryption key management policy, i.e., how the encryption keys are stored and accessed in the CommServe database.

• Regular

  When selected, encryption keys are stored in the CommServe database unlocked, and encrypted data can be recovered without providing a pass-phrase. Use this mode only if you trust your CommServe, and have some other mechanisms to protect it from unauthorized access.

• With a Pass-Phrase

  Initially enabled after selecting Direct Media Access option Via a Pass-Phrase.

  When selected, encryption keys are locked with a user-supplied pass-phrase before being stored in the CommServe database. Even if the database has been compromised, the encryption keys are still unusable without the pass-phrase. Note that in this mode encrypted data cannot be recovered without entering a correct pass-phrase.

  Do not choose a trivial or one-word pass-phrase. Remember that in this mode it is the pass-phrase that defines the security of your data. The more elaborate it is, the less likely it can be picked by a third-party.

  Warning

  Loss of the pass-phrase signifies loss of all data previously protected.

  If you want to recover encrypted data without having to provide the pass-phrase for every recovery operation, you can export the source computer's pass-phrase to a destination computer.

  Enable Synthetic Full

  When selected, indicates that synthetic full data protection jobs can be performed when data encryption is enabled. Since running synthetic full data protection operations involves recovering data to a temporary buffer in memory, such data protection operations need a pass-phrase to access data encryption keys in the CommServe database.

  If you want the convenience of scheduling Synthetic Full data protection operations at the expense of slightly weaker security, leave this option enabled. This will create another instance of unlocked encryption keys in the CommServe database, which can be used by synthetic full data protection operations only.

  Alternatively, you can clear this option and then export the pass-phrase to the MediaAgent computer in which the Synthetic Full job is run.

Direct Media Access (External Restore Tools)

The following options are available for key management, which is useful for recovering data through external restore tools like Media Explorer. The Media Explorer tool can recover the Disaster Recovery (DR) data from the tape storage or the disk storage.

• Via Media Password

  When selected, this specifies that a copy of the encryption key will be stored in the media.

  Note

  Ensure to specify a valid Media Password when selecting this option. For more information on setting media password, see Changing the Media Password.

• No Access

  When selected, encryption keys will not be stored on the storage media at all. This represents the highest media security level (regular CommCell Console or Database-driven recovery operations will still work).

Encryption

Use this dialog box to select the data encryption options for the selected content. When accessing this dialog box from the Subclient Properties - Encryption tab, this setting applies only to the selected subclient content for operations run from the CommCell Console. When accessing this dialog box from the Instance Properties - Encryption tab, this setting applies only to third-party Command Line operations. The functionality is not propagated to the Subclient Properties - Encryption tabs.

None

When selected, no encryption will take place during backup operations.

Media Only (MediaAgent Side)

When selected, for backup operations, data is transmitted without encryption and then encrypted prior to storage. During restore operations, data is decrypted by the client.

Network and Media (Agent Side)

When selected, for backup operations, data is encrypted before transmission and is stored encrypted on the media. During restore operations, data is decrypted by the client.

When using this setting in conjunction with the client property With a Pass-Phrase, you will be required to provide a pass-phrase for restore operations unless you export the client pass-phrase to the destination clients.

Network Only (Agent Encrypts, MediaAgent Decrypts)

When selected, for backup operations, data is encrypted for transmission and then decrypted prior to storage on the media. During restore operations, data is encrypted by the MediaAgent and then decrypted in the client.

When using this setting in conjunction with the client property With a Pass-Phrase, you will not be required to provide a pass-phrase for restore operations.

Script Preview

Click to display the backup script, based on the current subclient configuration, that will be submitted to third-party applications (for example RMAN for Oracle) when backups are performed for the selected subclient. (This option is available for agents that support script preview.)

Export Pass-Phrase

Use this dialog box to export the selected pass-phrase to destination client computer(s). The pass-phrase is placed in a <hostname>.pf file which is copied to the <software installation path>\PF folders and is named for the source client. Should you disable encryption at some point, either at the client or subclient level, know that these exported files are not deleted.

Exporting a pass-phrase facilitates scheduled data recovery operations run from the CommCell Console, automatically bypassing the requirement of manually entering a pass-phrase. If you elect not to export the pass-phrase to destination clients, you will be required to enter the pass-phrase during immediate data recovery operations run from the CommCell Console.

Situations for which you must export the pass-phrase:

• To run scheduled data recovery operations

• For the DataArchiver Agent to run a Stub data recovery

• For a third-party Command Line data recovery operations

Destination Computer

Select a client computer from the list of CommCell clients.

Pass-Phrase

Enter the source client's pass-phrase.

Re-enter Pass-Phrase

Re-enter the source client's pass-phrase for confirmation. Only one pass-phrase is allowed per client at any time. If you change the pass-phrase in the GUI, you will need to once again export it to the client.

Reset Pass-Phrase

Use this dialog box to reset the pass-phrase used to protect the client's private key. The pass-phrase protects encryption keys in the CommServe database and on media from unauthorized access.

Only one pass-phrase is allowed per client at any time. If you change the pass-phrase, it affects both future and past data protection operations.

For example, if you ran a few encrypted data protection operations with pass-phrase set to “violet”, and then changed the pass-phrase to “purple”, you will need to enter “purple” when recovering that data. It works like this because pass-phrase is used to lock encryption keys rather than encrypt the data itself. When pass-phrase is modified, the keys are re-locked with the new pass-phrase.

Old Pass-Phrase

Enter the old pass-phrase.

New Pass-Phrase

Enter the new case-sensitive pass-phrase.

Re-enter New Pass-Phrase

Re-enter the new pass-phrase for confirmation.

Advanced Encryption Options

Use this dialog box to select advanced data encryption options for the selected client. These settings will only impact supported agents residing on the client. Refer to Books Online for a complete listing of products that support data encryption.

Restore Access

This group of settings specifies CommServe encryption key management policy, i.e., how the encryption keys are stored and accessed in the CommServe database.

• Regular

  When selected, encryption keys are stored in the CommServe database unlocked, and encrypted data can be recovered without providing a pass-phrase. Use this mode only if you trust your CommServe, and have some other mechanisms to protect it from unauthorized access.

• With a Pass-Phrase

  Initially enabled after selecting Direct Media Access option Via a Pass-Phrase.

  When selected, encryption keys are locked with a user-supplied pass-phrase before being stored in the CommServe database. Even if the database has been compromised, the encryption keys are still unusable without the pass-phrase. Note that in this mode encrypted data cannot be recovered without entering a correct pass-phrase.

  Do not choose a trivial or one-word pass-phrase. Remember that in this mode it is the pass-phrase that defines the security of your data. The more elaborate it is, the less likely it can be picked by a third-party.

  Warning

  Loss of the pass-phrase signifies loss of all data previously protected.

  If you want to recover encrypted data without having to provide the pass-phrase for every recovery operation, you can export the source computer's pass-phrase to a destination computer.

  Enable Synthetic Full

  When selected, indicates that synthetic full data protection jobs can be performed when data encryption is enabled. Since running synthetic full data protection operations involves recovering data to a temporary buffer in memory, such data protection operations need a pass-phrase to access data encryption keys in the CommServe database.

  If you want the convenience of scheduling Synthetic Full data protection operations at the expense of slightly weaker security, leave this option enabled. This will create another instance of unlocked encryption keys in the CommServe database, which can be used by synthetic full data protection operations only.

  Alternatively, you can clear this option and then export the pass-phrase to the MediaAgent computer in which the Synthetic Full job is run.

Direct Media Access (External Restore Tools)

The following options are available for key management, which is useful for recovering data through external restore tools like Media Explorer. The Media Explorer tool can recover the Disaster Recovery (DR) data from the tape storage or the disk storage.

• Via Media Password

  When selected, this specifies that a copy of the encryption key will be stored in the media.

  Note

  Ensure to specify a valid Media Password when selecting this option. For more information on setting media password, see Media Password.Via Pass-Phrase

When selected, this specifies that a copy of the encryption key will be stored in the media.

• No Access

  When selected, encryption keys will not be stored on the storage media at all. This represents the highest media security level (regular CommCell Console or Database-driven recovery operations will still work).

Pass-Phrase

• Reset

  Enabled after an initial pass-phrase has been configured.

  When selected, opens the Reset Pass-Phrase dialog box.

• Export

  Enabled after an initial pass-phrase has been configured.

  When selected, opens the Export Pass-Phrase dialog box.

Advanced Restore Options (Encryption)

Use this tab to provide pass-phrase during data recovery operations.

Pass-Phrase

Enter the pass-phrase that is currently assigned to the client, whose data you are restoring. Note that if you have changed the pass-phrase since you secured the client data, you need to provide the new pass-phrase here, not the old one.

Re-enter Pass-Phrase

Re-enter the pass-phrase for confirmation.

If you attempt an immediate restore of encrypted data that was pass-phrase protected without entering the pass-phrase here, the restore operation will fail.

If you have an exported pass-phrase set up, and you enter the pass-phrase under Decryption, you over-ride (not overwrite) the client properties pass-phrase. Thus, if you enter the pass-phrase incorrectly, the restore does not complete successfully.

Advanced Client Properties - Encryption

Use this dialog box to select data encryption options for the selected client. These settings affect supported agents residing on the client.

Use Storage Policy Settings

Select this option to encrypt data according to the settings in the storage policy copy.

Encrypt data with following settings

Data Encryption Algorithm

• Cipher

  Displays the ciphers available for data transfer.

• Key Length

  Displays the key lengths available for the selected cipher. Note that the key length options displayed will vary according to the selected cipher.

  Direct Media Access (External Restore Tools)

  The following options are available for key management. These options are useful for recovering data. By default, a copy of the encryption key is stored in the CommServe database and will be used by all data recovery operations using the CommCell Console.

• Via Media Password

  When selected, this specifies that a copy of the encryption key will be stored in the media.

  Note

  Ensure to specify a valid Media Password when selecting this option.

• No Access

  When selected, encryption keys will not be stored on the storage media. This represents the highest media security level (regular CommCell Console or Database-driven recovery operations will still work).

Do not encrypt

Select this option to disable encryption on the client computer.

This is useful when encryption is enabled on a storage policy copy and you want to disable encryption on specific clients associated with that storage policy copy.