Configuring Encryption Key Management using Third-party Key Management Server
You can now protect Commvault software encryption keys with third-party key management server before storing the keys in the CommServe database. These third-party keys are required for restore and for auxiliary copy operations.
During data encryption, the data encryption key is encrypted with the storage policy copy RSA public key and can be decrypted only with this private key. The private key is encrypted using a master key from the third-party key management server. The master key is required for restore and auxiliary copy operations.
- To back up the third party key management server using Commvault, do not use a storage policy on which third-party key management is enabled.
- When you select the Store plain text option on a secondary copy, data encryption with third-party key management server is not supported.
For more information, see Configuring Data Encryption on a Storage Policy Copy.
- The integration with a third-party key management server (KMS) is for the purpose of Commvault side encryption only and not for the KMS side encryption. The keys created on a third-party KMS for a storage policy should not be used for any other purpose including KMS end encryption. The system deletes the keys from the server during key rotation and deletion.
If you enabled third-party key management server on a deduplicated storage policy or copy, do not delete the third-party key associated with the deduplicated storage policy because for deduplicated data, the data blocks are referenced by multiple jobs. For more information, see How Deduplication Works.
If the key is deleted, the data associated with the deduplicated storage policy or copy will not be recoverable. In this situation, you need to create a new storage policy or copy and re-associate all subclients to new storage policy. For instructions on re-association, see Associating Subclients to a Different Storage Policy.
Before You Begin
- Configure data encryption on the client that contains data to be encrypted. Specify to use the storage policy settings for encryption.
For instructions, see Configuring Data Encryption on a Client.
- Establish trust between the third-party key management server and the CommServe.
To configure a third-party key management server for data encryption, complete the following steps on the CommServe:
- Add the third-party key management server.
For instructions, see Adding a Key Management Server.
- Configure data encryption on the storage policy copy that is associated with the client. Associate the third-party key management server to the storage policy copy.
For instructions, see Configuring Data Encryption on a Storage Policy Copy.
When third-party key management server is enabled:
- For new backup jobs, the third-party key is used to decrypt the private key during restore and Auxiliary Copy operations.
Existing backup jobs are not affected.
- After running backup or auxiliary copy jobs, the name of the CommServe, storage policy, and storage policy copy associated with the key, and the first and last retrieval time of the key are available from the Attributes tab of the Key Properties in the third-party key management server site.
What To Do Next
- Associate the subclients that you plan to encrypt to the third-party key management server associated storage policy.
For each subclient, you can also select where the encryption is performed for the subclient data. For instructions, see Configuring Data Encryption on a Subclient or an Instance.
- You can periodically rotate the third-party key management server encryption keys for additional security. For instructions, see Rotating Master Key for a Storage Policy Copy.
Last modified: 11/27/2018 9:42:23 AM