Third-Party Key Management
You can protect the Commvault software encryption keys with third-party key management server before storing the keys in the CommServe database. The software encryption keys are required to perform restore and auxiliary copy operations.
Supported Key Management Servers
- Key Management Interoperability Protocol (KMIP) key management server products of any version:
- Amazon Web Services (AWS) key management service
- Microsoft Azure Key Vault
How It Works
After you enable the third party key management server on a storage policy copy, the key encryption works as follows.
- The CommServe sends a request to third-party key management server to generate and store a master key for the storage policy copy.
- The third-party key management server appliance sends a Key ID back to the CommServe and the Key ID is stored in the CommServe database.
- The software uses the UID to retrieve the master key from the third-party key management server appliance (a third party device), and this master key is used to encrypt the RSA private key.
The CommCell ID, storage policy name and the storage policy copy name are stored with the key as attributes in the third-party key management server appliance. You can use these attributes to search for keys from the server console.
For additional information about encryption key management, see Commvault Management of Encryption Keys.
Storage Policy Copy
What Happens During Backups?
- The software generates a symmetric key, which is a random number that is used to encrypt the backup data stream, for each archive file in the backup.
- This software uses the RSA public key to encrypt the symmetric key and stores the encrypted key in the CommServe database.
- The software writes the backup data stream on the media.
What Happens During Restores or Auxiliary Copy Operations?
- The master key for the storage policy copy is retrieved from the third-party key management server appliance using the UID.
- This retrieved master key is used to decrypt the RSA private key from the CommServe database.
- The RSA private key is used to decrypt each symmetric key that is stored on the CommServe database.
- The decrypted symmetric keys are used to decrypt the corresponding archive file stored on the media.
Last modified: 1/22/2019 4:00:59 AM