Software encryption encrypts the data during a backup job, a data replication job, and an auxiliary copy job (encrypts the backup data while copying the data to secondary copies).
The software encryption uses symmetric cryptography where the same key is used for encryption and decryption. So, there is no need for a certificate or a certificate authority.
Also, the software does not encrypt a data set with a single key. Instead, the software generates a key for every stream (archive file) of data that is written which means that there is an extremely minimal chance of the entire data being lost even if the key is compromised.
For information about the supported algorithms and key lengths, see Supported Algorithms.
Software encryption can be configured at the following levels:
- Client (for backups)
Encryption on client allows you to select which encryption cipher to use and where keys are stored. Encryption keys are stored in the CommServe database and optionally on the media itself.
- Subclient (for backups)
Encryption on subclient allows users to select if and where encryption is performed for the subclient data.
- Replication Set (for ContinuousDataReplicator)
Encryption on replication set allows you to protect replicated data as it transits the network.
- Storage Policy Copy (for backups and auxiliary copy operation)
Encryption on primary copy allows you to select which encryption cipher to use and where keys are stored for all the clients/subclients associated with it.
Encryption data during auxiliary copy operations allows backup operations to run without the processing overhead of encryption. Encryption performed during an auxiliary copy operation is performed at the source MediaAgent. This provides transmission path security.
Decryption of the encrypted data will occur:
- At the client during restore
- On the source MediaAgent during synthetic full (decrypted or re-encrypted automatically)
- On the source MediaAgent during auxiliary copy of deduplicated data (re-encryption on the source MediaAgent is an option requiring the auxiliary encryption license)
- On the source MediaAgent during auxiliary copy if re-encryption is selected. (decrypted then re-encrypted with select algorithm)
- On the Media Explorer host when restoring data
Last modified: 11/20/2018 5:15:24 AM