Third-Party Key Management

You can protect the Commvault software encryption keys with third-party key management server before storing the keys in the CommServe database. The software encryption keys are required to perform restore and auxiliary copy operations. The software generates a master key for each storage pool. If a storage policy copy is not dependent on a storage pool, the software generates a separate master key for that copy.

Supported Key Management Servers

• Key Management Interoperability Protocol (KMIP) key management server products of any version:

  • AWS CloudHSM

  • Entrust KeyControl KMIP Vault

  • Fortanix Data Security Manager

  • HashiCorp Vault

  • IBM Security Key Lifecycle Manager (SKLM)

  • Safenet

  • StorMagic SvKMS

  • Thales CipherTrust Manager

  • Vormetric

    Note

    • To use a KMIP key management server other than the products listed above, contact your software provider.
    • The certificate used must not be encrypted

• Amazon Web Services (AWS) key management service

• Microsoft Azure Key Vault

Data Flow for Key Management Operations

Storage Pool Creation

1. Software generates KEK for the storage pool.

2. Software sends request to the KMS to generate master key, and then the KMS generates master key.

3. KMS encrypts KEK using master key, and then sends encrypted KEK and master key ID to the software.

4. Software stores master key ID and encrypted KEK in the CommServe database. (For built-in KMS, scrambled master key is also stored in the CommServe database).

Backup

1. Software generates data encryption key (DEK) for the client.

2. Software encrypts DEK using KEK, and then stores encrypted DEK in the CommServe database.

3. CommServe sends DEK to the client. The software protects DEK over the network using client network password.

4. Client encrypts backup data using DEK.

5. Client sends encrypted data to the MediaAgent.

6. The MediaAgent writes encrypted data to the target backup storage.

Restore

1. The CommServe server fetches the encrypted KEK and the encrypted DEK from the CommServe database.

2. The CommServe server fetches the master key from KMS.

3. The CommServe server decrypts KEK using master key.

4. The CommServe server decrypts DEK using KEK.

5. The CommServe server sends DEK to client. The software protects DEK over the network using client network password.

6. The MediaAgent sends encrypted data to the client.

7. The client decrypts data using DEK.

Related Task

Configuring Encryption Key Management using Third-party Key Management Server