Configuring Encryption Key Management using Third-party Key Management Server

You can now protect Commvault software encryption keys with third-party key management server before storing the keys in the CommServe database. These third-party keys are required for restore and for auxiliary copy operations.

During data encryption, the data encryption key is encrypted with the storage policy copy RSA public key and can be decrypted only with this private key. The private key is encrypted using a master key from the third-party key management server. The master key is required for restore and auxiliary copy operations.

Notes:

  • To back up the third party key management server using Commvault, do not use a storage policy on which third-party key management is enabled.

  • When you select the Store plain text option on a secondary copy, data encryption with third-party key management server is not supported.

    For more information, see Configuring Data Encryption on a Storage Policy Copy.

  • The integration with a third-party key management server (KMS) is for the purpose of Commvault side encryption only and not for the KMS side encryption. The keys created on a third-party KMS for a storage policy should not be used for any other purpose including KMS end encryption. The system deletes the keys from the server during key rotation and deletion.

  • You can modify the key management server (KMS) for a storage policy copy. Make sure that the existing KMS is accessible till you associate a new KMS to the storage policy copy. After you change the KMS, any backup operations that you perform later use the new KMS. After you modify a KMS for all the storage policy copies that use it, you can delete the KMS. For instructions, see Deleting a Key Management Server.

Important:

If you enabled third-party key management server on a deduplicated storage policy or copy, do not delete the third-party key associated with the deduplicated storage policy because for deduplicated data, the data blocks are referenced by multiple jobs. For more information, see How Deduplication Works.

If the key is deleted, the data associated with the deduplicated storage policy or copy will not be recoverable. In this situation, you need to create a new storage policy or copy and re-associate all subclients to new storage policy. For instructions on re-association, see Associating Subclients to a Different Storage Policy.

Before You Begin

Procedure

To configure a third-party key management server for data encryption, complete the following steps on the CommServe:

  1. Add the third-party key management server.

    For instructions, see Adding a Key Management Server.

  2. Configure data encryption on the storage policy copy that is associated with the client. Associate the third-party key management server to the storage policy copy.

    For instructions, see Configuring Data Encryption on a Storage Policy Copy.

Result

When third-party key management server is enabled:

  • The software creates master key in the key management server with names of the CommServe and the storage pool as attributes/tags on the key.

  • The software decrypts master key of the storage pool with old master key from existing key management server and then encrypts with new master key from new key management server. With this, the backup data of existing and new backup jobs use the new master key only and no longer use the old master key.

What To Do Next

Loading...