Bring Your Own Key (BYOK) and Multi-Person Authorization (MPA)

Commvault Cloud provides security features that help you maintain control of encryption keys and protect against unauthorized access to critical operations.

Bring Your Own Key (BYOK)

Bring Your Own Key (BYOK) enables organizations to maintain ownership and control of the master encryption keys used to protect data within Commvault Cloud. Instead of relying on Commvault-managed encryption keys, customers store and manage their root encryption keys in an external Key Management Service (KMS). Commvault performs only authorized cryptographic operations and never assumes ownership of customer-managed keys.

Supported key management platforms

Commvault Cloud supports integration with the following external Key Management Services:

  • Amazon Web Services (AWS) Key Management Service (KMS)

  • Microsoft Azure Key Vault

  • Google Cloud Key Management Service (Cloud KMS)

  • HashiCorp Vault

  • Supported KMIP-compliant external key management solutions

Encryption architecture

Commvault encrypts backup data using Data Encryption Keys (DEKs). Each storage policy copy is protected by a 3072-bit RSA Key Encryption Key (KEK), which encrypts the DEKs.

When BYOK is enabled:

  • Encryption keys are hosted and stored in a separate customer-owned tenant with multi-person authentication ("MPA") configured. MPA is further described below.

  • The KEK is wrapped using a customer-managed master key stored in the external KMS.

  • The customer retains exclusive control over the master key.

  • Commvault requests cryptographic operations from the external KMS without accessing or storing the master key itself.

Key hierarchy

Customer Master Key (External KMS)
            ↓
3072-bit RSA Key Encryption Key (KEK)
            ↓
Data Encryption Keys (DEKs)
            ↓
AES-256 Encrypted Backup Data

Backup and restore workflow

  1. The customer provisions a master key within the supported KMS.

  2. Appropriate permissions are granted for Commvault to perform approved cryptographic operations.

  3. Backup data is encrypted using Data Encryption Keys (DEKs).

  4. The DEKs are protected by the Key Encryption Key (KEK).

  5. The KEK is wrapped using the customer-managed master key.

  6. During restore operations, Commvault requests authorization from the external KMS to unwrap the KEK before decrypting the backup data.

Key rotation

Customers retain full ownership of the master encryption key and are required to perform key rotations every 90 days and manually as needed.

During key rotation:

  • A new customer-managed master key is created in the external KMS.

  • Commvault rewraps the KEK using the new master key.

  • Existing backup data remains accessible without requiring data re-encryption.

Customer responsibilities

Customers are responsible for:

  • Maintaining the availability of the external KMS

  • Managing IAM permissions and access controls

  • Protecting privileged administrator accounts

  • Retaining encryption keys for the duration of backup retention requirements

  • Avoiding deletion or disabling of active encryption keys

Operational considerations

If the external KMS becomes unavailable or access permissions are revoked, operations requiring encryption key access—such as backup or restore—may fail until connectivity or permissions are restored.

For business continuity, Commvault recommends:

  • Deploying a highly available KMS architecture

  • Regularly validating backup restore operations

  • Periodically reviewing KMS access policies

Security and compliance benefits

BYOK helps organizations:

  • Maintain ownership of encryption keys

  • Enforce separation of duties

  • Centralize key auditing and governance

  • Support regulatory and compliance requirements

  • Reduce dependence on provider-managed encryption keys

Multi-Person Authorization (MPA)

MPA is a Zero Trust security capability within Commvault Cloud that requires approval from multiple authorized users before executing highly privileged or destructive operations.

By requiring multiple independent approvals, MPA significantly reduces the risk of accidental, malicious, or compromised administrative actions.

MPA helps protect organizations from:

  • Insider threats

  • Compromised administrator credentials

  • Accidental deletion of critical backup data

  • Unauthorized security policy modifications

The approval workflow ensures that no single administrator can perform sensitive operations without appropriate authorization.

Common use cases

MPA can be configured for several critical operations, including:

Backup deletion

Requires one or more authorized approvers before backup data can be deleted.

Restore operations

Requires approval before restoring sensitive data, helping reduce the risk of unauthorized data access or exfiltration.

Configuration changes

Protects critical security and system configuration changes by requiring additional approval before execution.

Configuring MPA in Command Center

Administrators can configure MPA from the Commvault Command Center.

  1. Navigate to Manage > Security > Multi-Person Authorization.

  2. Configure the global authorization settings.

  3. Define the user groups authorized to approve requests.

  4. Configure the required approval quorum.

  5. Optionally configure tag-based authorization policies to allow business units or tenants to approve operations within their own environments.

Benefits

Implementing MPA enables organizations to:

  • Strengthen Zero Trust security controls

  • Reduce the risk of ransomware and insider attacks

  • Enforce separation of duties

  • Improve governance for privileged operations

  • Support security and compliance initiatives

×

Loading...