You can configure hardware encryption on a storage policy copy or a data path. When you enable hardware encryption, the data encrypted by the software is further encrypted. Therefore, we strongly recommend you to enable one or the other, but not both.
Hardware encryption must be enabled only when the drives associated with the data path support encryption. If this option is enabled and the hardware does not support encryption, jobs running to the data path or drive will go to Pending state.
Note: Hardware encryption algorithm and key length is set by the hardware vendor. Most of the terms use AES-256 for FIPS compliance. Commvault can enable or disable hardware encryption. Any variance to algorithm or key length used is dependent on hardware vendor.
Configure Hardware Encryption for a New Storage Policy Copy
When you create a new storage policy copy, you can enable hardware encryption for all data paths (with tape drives) by default.
Procedure
-
From the CommCell Browser, right-click the storage_policy, click All Tasks, and then click Create New Copy.
-
In the Copy Name, enter a name for the copy.
-
From the Library list, select a tape library.
-
Select the appropriate MediaAgent, Drive Pool and Scratch Pool.
-
Select the Hardware Encryption (Direct Media Access: Via Media Password) check box to enable the option.
-
Click OK.