Configuring Encryption Key Management using Third-party Key Management Server
You can now protect Commvault software encryption keys with third-party key management server before storing the keys in the CommServe database. These third-party keys are required for restore and for auxiliary copy operations.
During data encryption, the data encryption key is encrypted with the storage policy copy RSA public key and can be decrypted only with this private key. The private key is encrypted using a master key from the third-party key management server. The master key is required for restore and auxiliary copy operations.
Note: To back up the third party key management server using Commvault, do not use a storage policy on which third-party key management is enabled.
If you enabled third-party key management server on a deduplicated storage policy or copy, do not delete the third-party key associated with the deduplicated storage policy because for deduplicated data, the data blocks are referenced by multiple jobs. For more information, see How Deduplication Works.
If the key is deleted, the data associated with the deduplicated storage policy or copy will not be recoverable. In this situation, you need to create a new storage policy or copy and re-associate all subclients to new storage policy. For instructions on re-association, see Associating Subclients to a Different Storage Policy.
Before You Begin
- Make sure that encryption is enabled on the clients. For instructions, see Configuring Data Encryption on a Client.
- Establish trust between the third-party key management server and the CommServe. For instructions, see Establishing Trust between the SafeNet KeySecure and the CommServe and Establishing Trust between the Vormetric DSM and the CommServe.
To configure data encryption to use third-party key management server, complete the following steps on the CommServe:
- Add the third-party key management server. For instructions, see Adding a Key Management Server.
- Associate the third-party key management server to a storage policy copy. For instructions, see Associating Storage Policy Copies to a Key Management Server.
When third-party key management server is enabled:
- The following text appears on the Advanced tab of the Copy Properties dialog box.
SafeNet Encryption: Enabled
- For new backup jobs, the third-party key is used to decrypt the private key during restore and Auxiliary Copy operations.
Existing backup jobs are not affected.
- After running backup or auxiliary copy jobs, the name of the CommServe, storage policy, and storage policy copy associated with the key, and the first and last retrieval time of the key are available from the Attributes tab of the Key Properties in the third-party key management server site.
What To Do Next
Associate the subclients that you plan to encrypt to the third-party key management server associated storage policy.
For each subclient, you can also select where the encryption is performed for the subclient data. For instructions, see Configuring Data Encryption on a Subclient or an Instance.
- You can periodically rotate the third-party key management server encryption keys for additional security. For instructions, see Rotating Master Key for a Storage Policy Copy.