V11 SP8

Hardware or Library Management of Encryption Keys

If you have a hardware vendor license applied on the library for key management, and it is enabled, then no additional Commvault license and/or configuration is required. In this scenario, the hardware library generates and stores the encryption keys per media and the hardware drive encrypts the data. Therefore, every backup job written to a specific media will have the same key.

If you do not have a hardware vendor license for key management, or it is not enabled, Commvault can provide key management services. To enable Commvault key management for hardware, you must enable Hardware encryption for each data path that directs data to tape libraries using supported hardware encryption tape drives.


  • If you have hardware encryption (Key Management) enabled on the hardware side and you also have hardware encryption option enabled at storage policy level, the job would go pending stating with following message:

    The hardware does not support hardware encryption and hardware encryption option should be disabled at the storage policy level

    This ensures that the key management must be enabled in one of the two available ways. If both are enabled, the hardware or library managing the encryption keys always takes precedence.

For each data protection operation, the software checks the drive to see if encryption is supported. If encryption is supported, the software provides the encryption key, which is in turn stored in the CommServe database when the data chunk is written to the media. The encryption key is stored after scrambling it with a proprietary encryption. The encryption key gets deleted when the data chunk is pruned.