Configuring Software Encryption on a Secondary Copy

You can configure data encryption on a secondary copy. A secondary copy can also be dependent on a global secondary copy policy or global deduplication policy.

Procedure

  1. From the CommCell Browser, expand Policies > Storage Policies > storage_policy.

  2. Right-click the appropriate storage policy copy, and then click Properties.

    The Storage Policy Copy Properties dialog box appears.

  3. Click the Advanced tab.

  4. To override the encryption settings of the global secondary copy policy and configure different settings for a copy dependent on the global secondary copy policy, select the Override the Encryption settings for this copy option.

    Note

    You can not override the encryption settings inherited from the global deduplication policy. However, you can override the settings only if the CommServe is upgraded from a previous version or the global deduplication policy was created on previous service pack. After you opt not to override the settings, you cannot again opt to override the settings.

  5. Select one of the following data encryption options:

    • Preserve encryption mode as in source: Copy the encrypted or unencrypted backup data on the source copy as is to the secondary storage.

      Default: Enabled

      If the copy is dependent on a global secondary copy policy or a global deduplication policy on which encryption is not enabled, this option is enabled by default.

      Note

      • You cannot select this option for a non-deduplicated copy that contains partially copied jobs.

      • If you change the algorithm on the source copy anytime, the software uses new algorithm to encrypt new backup data.

    • Re-encrypt data using selected cipher: The backup data to be copied is re-encrypted with the cipher used on the selected storage policy copy.

      If the copy is dependent on a global secondary copy policy or a global deduplication policy on which encryption is enabled, this option is enabled by default.

    • Store plain text: The backup data to be copied is stored as plain text on the secondary storage.

      Note

      • When you select this option, data encryption with third-party key management server is not supported.

      • If the copy is dependent on a global deduplication policy, this option is not supported.

    • Encrypt on network using selected cipher: The backup data to be copied is encrypted during transmission, and then stored as plain text on the secondary storage.

  6. If you selected the option Re-encrypt data using selected cipher or Encrypt on network using selected cipher, under Data Encryption Algorithm, select the following:

    • From the Cipher list, select appropriate encryption algorithm.

    • From the Key Length list, select appropriate key length.

      Note

      • If the copy is dependent on a global secondary copy policy or a global deduplication policy on which encryption is enabled, then the Cipher and Key Length configured on the global secondary copy policy or global deduplication policy are selected by default.

      • If you changed to the option from the Preserve encryption mode as in source option, then the software uses new algorithm to encrypt new backup data.

  7. Under Direct Media Access (External Restore Tools), select whether to enable or disable the encryption keys store:

    • To enable the encryption keys store on the media, select Via Media Password.

    • To disable the encryption keys store on the media, select No Access.

    Note:

    • If the copy is dependent on a global secondary copy policy or a global deduplication policy on which encryption is enabled, then the option configured on the global secondary copy policy or global deduplication policy is selected by default.

    • For a CommServe Disaster Recovery storage policy, the Via Media Password is the default option and you cannot change the option. The DR backups require the keys store on the media.

  8. To associate the copy to a third-party key management server, under Third Party Encryption, select the Select a Key Management Server check box, and then select a key management server from the list:

    Notes:

    • You can change the association from one third-party to another third-party key management server.

    • To change the association from a third-party key management server to the default Commvault server, contact your software provider to get an authorization code to perform the operation.

      For instructions, see Associating Storage Policy Copies to a Key Management Server.

    • This option is not applicable to a copy dependent on a global secondary copy policy.

    • If the copy is dependent on a global deduplication policy on which encryption is enabled, then the options configured on the global deduplication policy are selected by default. You can not modify the options.

    For detailed information, see Copy Properties Advanced.

  9. Click OK.

What to Do Next

To prevent the encryption settings from being accidentally altered by users once it is established, enable the Prevent changes to software encryption settings option at global level. For more information, see Configuring Global Level Software Encryption Settings.

Loading...