Security Overview

Data protection is our highest priority. Security is built into every step of our data management services from an end user's computer all the way to backup storage. Use our security features and administrative tools to enhance your own data security plan to ensure that your data is kept private and safe from unauthorized users.

If you feel you have discovered a security vulnerability, go to Report Security Vulnerabilities to report it.

CommCell Security

All configuration data, job records, and access control to Commvault managed data is contained within the CommServe database. Regardless of what other security barriers you put in place, if the CommServe database is compromised, your data is vulnerable. Your primary means to protect the CommServe database are the physical, application, and network security measures you take.

For information on securing your CommCell environment, see Securing the CommServe Computer.

User Security

Logon Attempts

Administrators can limit the number of times a user can attempt to logon. After the limit is reached, the user account is locked for the time period defined by the administrator. For more information, see Limiting User Logon Attempts.

Two-Factor Authentication

When two-factor authentication is activated, users must enter a 6-digit PIN (personal identification number) along with their passwords to access the CommCell environment. For more information, see Two-Factor Authentication for Your CommCell Environment.

Role-Based Security

A role is a collection of permissions administrators assign to users and entities to create a three-way security association. Roles can be assigned to any external or CommCell-based user or user group. For more information, see Security Association Overview.

Integration with External Domains

Administrators can manage a single set of users through integration with external directory services like Active Directory and Oracle Directory. Commvault roles and entities can be assigned directly to an external group or user. For more information, see Domains Overview.

SAML Support

Security Assertion Markup Language (SAML) is an XML-based open standard that allows authentication by an Identity Provider (IdP) for Web Console users. SAML can be used to create a single identity for each user for a single sign-on log on for all applications. A SAML User Registration Workflow is available to create user names in the CommServe database. For more information, see External Authentication with SAML Integration (SSO) - Web Console.


Assigning client owners simplifies laptop security. Administrators can set security for all client owners at once by assigning client owner permissions at the CommCell level. Administrators also have the flexibility to set client owner security at the client computer group and client levels. For more information, see Owner Security Overview.


The Privacy feature prevents users and administrators who are not client owners from seeing the data on the client. For more information, see Privacy for Owners.

Credential Manager

With Credential Manager, you can store credentials for different types of accounts to use for various CommCell configurations. Administrators can give users permissions to use the credentials to configure resources from the CommCell Console without distributing the user name or password to access the resource. For more information, see Store Account Information with Credential Manager.

Network Security

Encrypted Challenge and Reply

All CommCell communication between the CommServe and client use encrypted challenge-and-reply to validate the hosts involved.

Firewall Support

CommCell components separated by a firewall can be configured to use authorized ports and connection routes (inbound, outbound, two-way) through the firewall to communicate and perform data management operations. For more information, see Firewall Overview.

Third Party Port Mapping

In addition to the firewall routes configured in your CommCell environment, you can also establish connectivity between CommCell computers on third-party ports using existing firewall tunnels. These ports are used by third-party applications and are not configured with the Commvault firewall access feature. For more information, see Third-Party Port Mappings.

Data Security

Media Password

The media password prevents unauthorized access of data from removable media when using external recovery tools to restore data. This ensures that only the originating, licensed CommCell environment can recover data. For more information on setting media password, see Changing the Media Password.

Delete Backup and Archived Data

Data that has been backed up or archived can be permanently deleted so that it is no longer available for browsing and recovery. Data that has been deleted cannot be restored.

For more information, see Delete Backup and Archive Data.

Endpoint Data Security

Client Certificates

Client certificates are used to authenticate connections between client computers and the CommServe host. The authentication process reveals and confirms the identity of the client attempting to establish connections with the CommServe host during installation. For more information, see Network: Client Certificates.

Data Loss Prevention

DLP locks files on a laptop and requires a passkey to open the locked files. If the laptop is lost or stolen, this prevents unauthorized access to the data. For more information, see Data Loss Prevention Overview.

Secure Erase

Protect sensitive data on laptops by specifying certain files to be erased if the laptop is offline without connectivity with the CommServe host for a specified number of days or if a computer marked as lost or stolen is turned on and connects with the CommServe host. For more information, see Data Loss Prevention - Secure Erase.

Data Encryption


The Commvault software supports both online (client to media) and offline (media to media) data encryption. For online data encryption that transits over a network, the location where the encryption takes place is configurable. For more information, see Software Encryption Overview.


Commvault supports tape devices with built-in encryption. The tape device must provide the necessary controls to get the encryption capabilities and to set the encryption properties on the drive. For more information, see Hardware Encryption Overview.

Key Management

Commvault provides encryption key management services for its software encryption ciphers and for supported encryption-enabled hardware devices. You can provide additional protection for Commvault encryption keys with the use of SafeNet before storing the keys in the CommServe database.


Audit Trail

Administrators can track the operations of users who have access to the CommCell environment. This capability is useful when you want to determine the source of a detrimental operation performed in the CommCell environment. For more information, see Audit Trail.

Log Monitoring

The Log Monitoring tool monitors system events, user operations, logs, and analytic information for trend analysis and automated, centralized reporting as may be required for compliance. Auditors and administrators can customize what, where, and how often information is collected and can monitor the results from a single point of view, which makes it easier to spot patterns that require attention. For more information, see Log Monitoring.