Software encryption encrypts the data during a backup job, a data replication job, and an auxiliary copy job (encrypts the backup data while copying the data to secondary copies).
The software encryption uses symmetric cryptography where the same key is used for encryption and decryption. So, there is no need for a certificate or a certificate authority.
For information about the supported algorithms and key lengths, see Supported Algorithms for Software Encryption.
Software encryption can be configured at the following levels:
-
Encryption on client allows you to select which encryption cipher to use and where keys are stored. Encryption keys are stored in the CommServe database and optionally on the media itself.
-
Encryption on subclient allows users to select if and where encryption is performed for the subclient data.
-
Replication Set (for ContinuousDataReplicator)
Encryption on replication set allows you to protect replicated data as it transits the network.
-
Storage Policy Copy (for backups and auxiliary copy operation)
Encryption on primary copy allows you to select which encryption cipher to use and where keys are stored for all the clients/subclients associated with it.
Encryption data during auxiliary copy operations allows backup operations to run without the processing overhead of encryption. Encryption performed during an auxiliary copy operation is performed at the source MediaAgent. This provides transmission path security.
Decryption of the encrypted data will occur:
-
At the client during restore
-
On the source MediaAgent during synthetic full (decrypted or re-encrypted automatically)
-
On the source MediaAgent during auxiliary copy of deduplicated data (re-encryption on the source MediaAgent is an option requiring the auxiliary encryption license)
-
On the source MediaAgent during auxiliary copy if re-encryption is selected. (decrypted then re-encrypted with select algorithm)
-
On the Media Explorer host when restoring data
Note
After a job is copied to a dedupe storage pool with encryption enabled, the job remains encrypted even in the following situations:
- When encryption is disabled (or set to store plain text) on the pool and the job is recopied
- When the copy is deleted and a new copy is created using the same storage pool with encryption disabled (or set to store plain text) and the same job is copied again.