Solved

CommCell User password encryption algorithm

  • 22 January 2022
  • 3 replies
  • 707 views

Badge +5

Dear experts,

Currently, we are testing to pass certification exams run by government agencies.
Among the test items, there is an item related to password encryption of CommCell User.

The document web confirmed that SHA 256 was used.
(https://documentation.commvault.com/commvault/v11_sp16/article?p=7964.htm)
Is there a way to check what hash algorithm is used to store the password?

And can I change it to use a stronger hash algorithm like SHA384 or SHA512?
Or can I use the Adding Salt to Hashing method?

Best Regards
Kim KK

icon

Best answer by Graham Swift 23 January 2022, 22:08

View original

If you have a question or comment, please create a topic

3 replies

Userlevel 4
Badge +10

Hello @KyungKee Kim,

I am not aware of a way to change the built in algorithm we use for password encryption outside of the default. 

However you can use a KMS server to manage your encryption requirements. We allow you to integrate so that anything we store in the database will use your KMS environment, using whatever that is configured to use.

https://documentation.commvault.com/11.24/expert/4801_securing_commserve_computer.html

https://documentation.commvault.com/11.24/expert/118009_configuring_key_management_server_to_secure_passwords_of_application_user_accounts.html

I would advise caution using this, if the KMS goes offline you may not be able to perform backups or restores.

Another option is to use Microsoft SQL TDE on the CommServe instance. We do support this as well. Again as with anything external to our software you will need to have a good process in pace to ensure the security of the keys you have to create and how you would recover the SQL instance if you needed to. This will also mean that if you log a support ticket with us we will not be able to stage the database unless you share the keys with us.

Badge +5

Hello @Graham Swift,

 

Your comments on using KMS and Microsoft SQL TDE are very much appreciated.

 

Additionally, while searching for related content, I found the following:

Q) Does the CommVault software use the encryption technique of salting in key generation or passwords to access the software with “ user’s password”?

A) We use randomly generated salt for password hashing

 

Do you have any knowledge of anything related to this?

 

Best Regards

Kim KK

Userlevel 4
Badge +10

We only have what is documented above. The only other point that may be worth mentioning is that we have would be this.