Configuring Software Encryption on a Client

You can configure encryption on a client to protect data during data protection and recovery operations.

Once data encryption is enabled on a client, encryption can be enabled on all instances or subclients associated with all the agents installed on the client. The data encryption keys are randomly generated per archive file.


  • If the storage policy used by the client computer has deduplication and encryption enabled, then the encryption settings of the storage policy are used instead of the settings of the client computer.
  • Deduplication happens before data encryption. If different client computers with encryption enabled and encryption disabled use the same deduplication enabled storage policy, then the backup data from encryption enabled client computer may refer to the already backed up and unencrypted data. In such case, not all the data that is referenced by the encryption enabled client computer is actually encrypted on the disk. Encryption must enabled on all the client computers from the beginning to ensure that all backup data is encrypted.
  • If the NDMP data is directed to a NDMP Remote Server-enabled MediaAgent for data protection or auxiliary copy you can software and hardware encrypt the data. For NDMP data sent directly to a filer-attached library only hardware encryption is supported. Filer direct Hardware encryption requires a third party key management system.


  1. From the CommCell Browser, expand Client Computers.
  2. Right-click the appropriate client, and then click Properties.
  3. From the Client Computer Properties dialog box, click Advanced.
  4. In the Advanced Client Properties dialog box, on the Encryption tab, specify one of the following settings:
    • To encrypt data according to the settings in the storage policy copy, click Use Storage Policy Settings.

      This is the default option.

    • To use specific encryption type for this client backups, select Encrypt data with following settings and then select the following:
      • Under Data Encryption Algorithm, select the following:
      1. From the Cipher list, select appropriate encryption algorithm.

        For information on supported algorithms and key lengths, see Data Encryption Algorithms.

      2. From the Key Length list, select appropriate key length.
      • Under Direct Media Access (External Restore Tools), choose whether to enable or disable the encryption keys store:
      • To enable the encryption keys store on the media, select Via Media Password.
      • To disable the encryption keys store on the media, select No Access.
    • To transfer data without encryption, select Do not encrypt.

    For detailed information, see Advanced Client Properties - Encryption.

  5. Click OK.

What To Do Next

You must enable data encryption in the individual instances and / or subclients  to encrypt the data during backups. See Configuring Data Encryption on a Subclient or an Instance for more information.

Last modified: 11/12/2019 9:34:03 AM