Third-Party Key Management

You can protect the Commvault software encryption keys with third-party key management server before storing the keys in the CommServe database. The software encryption keys are required to perform restore and auxiliary copy operations.

Supported Key Management Servers

Commvault supports the following Amazon S3 encryptions:

  • Server-side Encryption with Amazon S3-managed keys (SSE-S3)
  • Server-side encryption with customer-provided keys (SSE-C)
  • Server-side encryption with AWS KMS keys (SSE-KMS)
  • Dual-layer server-side encryption with AWS KMS keys (DSSE-KMS)

Data Flow for Key Management Operations

Storage Pool Creation

Key Management Flow Diagram

  1. Software generates KEK for the storage pool.

  2. Software sends request to the KMS to generate master key, and then the KMS generates master key.

  3. KMS encrypts KEK using master key, and then sends encrypted KEK and master key ID to the software.

  4. Software stores master key ID and encrypted KEK in the CommServe database. (For built-in KMS, scrambled master key is also stored in the CommServe database).

Backup

Backup

  1. Software generates data encryption key (DEK) for the client.

  2. Software encrypts DEK using KEK, and then stores encrypted DEK in the CommServe database.

  3. CommServe sends DEK to the client. The software protects DEK over the network using client network password.

  4. Client encrypts backup data using DEK.

  5. Client sends encrypted data to the MediaAgent.

  6. The MediaAgent writes encrypted data to the target backup storage.

Restore

Restore

  1. The CommServe server fetches the encrypted KEK and the encrypted DEK from the CommServe database.

  2. The CommServe server fetches the master key from KMS.

  3. The CommServe server decrypts KEK using master key.

  4. The CommServe server decrypts DEK using KEK.

  5. The CommServe server sends DEK to client. The software protects DEK over the network using client network password.

  6. The MediaAgent sends encrypted data to the client.

  7. The client decrypts data using DEK.

Configuring Encryption Key Management using Third-party Key Management Server

Loading...