Solved

DR Backup to Public Cloud Library ( S3)

  • 19 January 2022
  • 3 replies
  • 105 views

Userlevel 2
Badge +10

Hello Community ,

If we are using a Public Cloud Library (e.g. AWS S3) as the export destination for DR backups how can we ensure that the DR backups are encrypted ( not S3 encryption) .The idea is not to use S3 encryption because its keys are stored with AWS and they can decrypt it. Security has advised not to use Cloud native encryption .

Can we use Commvault or any third party encryption with DR storage policy ?

If yes , can we send DR metadata in encrypted format to S3 instead of normal dumps inside SET folder?

Iam aware about CV Cloud service which can retain latest 5 copies of DR backup but also want to use public cloud library for long retention of DR backups.

Regards, Mohit

icon

Best answer by Chris Hollis 20 January 2022, 00:03

View original

If you have a question or comment, please create a topic

3 replies

Userlevel 5
Badge +10

Hi @Mohit Chordia 

Unless i’m mistaken, I don’t believe it’s possible to encrypt the native export files that get copied to a staging directory as part of the DR backup process (which I’m assuming you have configured direct to cloud). 

I think your best course of action would be to change the copy location to somewhere on-prem, then configure (if not already) the CommserveDR primary/secondary copies that point to the AWS cloud library with our software encryption. 
 

Please have a read of the following:

https://documentation.commvault.com/11.24/expert/7774_configuring_software_encryption_on_storage_policy.html
 

Instructions on enabling encryption on primary copy can be found here: https://documentation.commvault.com/11.24/expert/7779_configuring_software_encryption_on_primary_copy.html

 

Follow the procedural steps outlined in the above article to see if this is already enabled or not. 

Additionally, here are the supported algorithms: https://documentation.commvault.com/11.24/expert/59006_supported_algorithms_for_software_encryption.html

Please have a read and let me know if any questions. 


Chris

Userlevel 2
Badge +10

@Chris Hollis 

Thank you for the reply.

If i performed below steps then the DR backup would be saved in CHUNKS and not as SET ( DR EXPORT) . Imagine if the CS is down and i need to use DR backups saved on cloud library to rebuild my CS would it be possible ? 

change the copy location to somewhere on-prem, then configure (if not already) the CommserveDR primary/secondary copies that point to the AWS cloud library with our software encryption. 

 

The idea is to save DR backups on cloud library is to ensure that when the entire infrastructure is down and it is not possible to perform DR recovery using Commvault , can we quickly use the DR export  saved on S3 to build new CS in isolated environment. I guess it is only possible when the DR is saved as export (SET).

Userlevel 5
Badge +10

@Mohit Chordia 

If we couldn’t recover from the primary copy in a DR situation we wouldn’t be a very useful backup and recovery tool :) 

We have the media explorer tool: https://documentation.commvault.com/11.24/expert/43588_retrieving_disaster_recovery_dr_backups_from_cloud_storage_using_cloud_test_tool.html for this exact purpose.

“Media Explorer enables you to recover the Disaster Recovery (DR) data from tape or disk storage if the latest export copy of the DR backup metadata is not accessible from the export location.”

We can pull back the necessary chunks from the cloud, disk or tape and rebuild the data for recovery purposes. 

You could also enable DR upload to Commvault to have in total, 4 levels of redundancy -

As per: https://documentation.commvault.com/commvault/v11_sp20/article?p=43517_1.htm


Hopefully this helps!