Loading...

Configuring Software Encryption on a Storage Policy

You can configure encryption on a storage policy to encrypt data during data protection operations.

Configuring software encryption on a storage policy is useful in the following cases:

  • You are sending media to an off-site location, and you want to ensure that the data on media is not readable if the media is lost or stolen.
  • You are performing a backup to a disk library, and you want to copy the backup data to a tape in encrypted form. However, you do not want to consume the time and resources required to encrypt the data during the backup.
  • You are protecting data from multiple organizations, and you want to ensure one organization cannot read the data from another.

To encrypt data on a client according to the settings in the storage policy, enable the Use Storage Policy Settings option from the Advanced Client Properties dialog box. For more information, see Configuring Software Encryption on a Client.

Note: When you enable encryption on a storage policy, the software encrypts the data before writing it to the media and stores the keys in the CommServe database. If the media is misplaced, recovery of the data without the CommServe database is impossible.

The following table describes how you can configure encryption for a storage policy.

Copy Type

Options to Configure Encryption

Considerations

Primary copy

You can enable encryption for a storage policy copy by default. For instructions, see Enabling Software Encryption on a New Storage Policy Copy.

You can configure encryption during or after creation of a storage policy. For instructions, see Configuring Software Encryption on a Primary Copy.

 

Primary copy of a storage policy associated with a global deduplication policy

Review the following:

  • Encryption enabled on global deduplication policy: The copy inherits the encryption settings of the global deduplication policy and you cannot override the settings.
  • Encryption not enabled on global deduplication policy:The backups are copied using the encryption settings of the client.

For instructions, see Configuring Software Encryption on a Primary Copy.

You can override the settings only if the CommServe is upgraded from a previous version or the global deduplication policy was created on previous service pack. After you choose not to override the settings, you cannot again override the settings.

Primary copy of a storage policy associated with a global secondary copy policy

Review the following:

  • Encryption enabled on global secondary copy policy: The copy inherits the encryption settings of the global deduplication policy and you cannot override the settings.
  • Encryption not enabled on global secondary copy policy:The backups are copied using the encryption settings of the client.

For instructions, see Configuring Software Encryption on a Primary Copy.

The option to configure third-party encryption is not applicable to global secondary copy policy. You can also change the association from one third-party to another third-party key management server.

To change the association from a third-party key management server to the default Commvault server, contact your software provider to get an authorization code to perform the operation.

For instructions, see Associating Storage Policy Copies to a Key Management Server.

Secondary copy

You can use any of the following options to configure encryption on a secondary copy:

  • Preserve encryption mode as in source: This is the default option. Select this option to encrypt the data with the existing cipher used to encrypt the backup data while copying to the secondary storage.
  • Re-encrypt data using selected cipher: Select this option to encrypt the data with a new cipher that is different from the cipher that was used to encrypt the data.
  • Store plain text: Select this option to copy the data as plain text to the secondary storage.
  • Encrypt on network using selected cipher: Select this option to encrypt the data with a new cipher during transmission, and then store the data as plain text on the secondary storage.

For instructions, see Configuring Software Encryption on a Secondary Copy.

You cannot select the Preserve encryption mode as in source option for a non-deduplicated copy that contains partially copied jobs.

Secondary copy of a storage policy associated with a global deduplication policy

Review the following:

  • Encryption enabled on global deduplication policy: The copy inherits the encryption settings of the global deduplication policy and you cannot override the settings. The Re-encrypt data using selected cipher option is selected by default. The Cipher, Key Length and encryption keys store option (Via Media Password or No Access) configured on the global deduplication policy are selected by default.
  • Encryption not enabled on global deduplication policy:The backups are copied using the encryption settings of the client. The Preserve encryption mode as in source option is selected by default.

For instructions, see Configuring Software Encryption on a Secondary Copy.

You can override the settings only if the CommServe is upgraded from a previous version or the global deduplication policy was created on previous service pack. After you choose not to override the settings, you cannot again override the settings.

You cannot select Store plain text option.

Secondary copy of a storage policy associated with a global secondary copy policy

Review the following:

  • Encryption enabled on global secondary copy policy: The copy inherits the encryption settings of the global deduplication policy and you cannot override the settings. The Re-encrypt data using selected cipher option is selected by default. The Cipher, Key Length and encryption keys store option (Via Media Password or No Access) configured on the global secondary copy policy are selected by default.
  • Encryption not enabled on global secondary copy policy:The backups are copied using the encryption settings of the client. The Preserve encryption mode as in source option is selected by default.

For instructions, see Configuring Software Encryption on a Secondary Copy.

 

Last modified: 11/27/2018 5:27:51 AM