Encryption Aux copies with deduplication.

  • 27 April 2021
  • 3 replies

Userlevel 4
Badge +11

Hello friends,
I have two questions, maybe more of one statement and one question.
It’s still true that if I change the encryption in a stg policy copy it’s only new content that get’s the new encryption and any older will keep the original encryption. Am I right here?

Currently we have the setting “Do not deduplicate against objects older then” 180 days enabled.
Retention for the policy is lets say 730 days.
If we where to change the encryption for that stg policy copy, it would take 360 days before we would have no referenses to the “old” encryption? Or would there be jobs with the “old” encryption throughout all 730 days?

Not sure I describe the question in a good way..






Best answer by Christian Negron 27 April 2021, 15:34

View original

3 replies

Userlevel 2
Badge +4

Hello Henke,

>In regards to your first question; That is correct, enabling Encryption on a Storage Policy will only impact jobs going forward (not jobs previously written). In order to encrypt the old jobs as well, you would need to configure a secondary copy (with encryption enabled) and aux copy those jobs to the new storage policy copy. 

Docs for software encryption:


>As for the second question, “Do not Deduplicate against objects older than n days” is specifically to stop new jobs from referencing old unique data blocks within the dedup database itself (not what is physically written to media), reducing the possibility of drill holes. 

This pertains to if we are using the same reference pointers over time or are using new reference pointers after X amount of time. Please keep in mind, enabling this may lead to a larger space usage on the media since after X amount of time, the system will see the same data as “new”, reducing the benefits of deduping in the first place.


“Age of the Unique Deduplicated Data Block”

“The number of days that a unique data block is used as the primary reference for any new secondary blocks can now be defined in the Do not Deduplicate against objects older than option.”

Changes in V11:

Dedup FAQ:


Your question here; if enabling this setting, will it allow the older data with the old encryption to age out faster due to not referencing the previously deduped and encrypted blocks while the new data blocks now use the new encryption settings and lay down new dedup ref blocks (based on the additional setting above being enabled).


However, encryption is a media level (physically written to the library) feature. This means the jobs already written to the library will still be retained and will still have the old encryption/keys until they totally age out from the copy when retention is met. New jobs will inherit the new encryption.


I do not think the “Do not Deduplicate against objects older than” setting is applicable as this is only for creating new reference blocks in the DDB or still referencing older blocks. The actual encryption of the data is happening after the dedup process has occurred. 


Operation flow as follows: Data Read -> Data Hashed -> Deduped -> Encryption -> Write Data


So making modifications to the dedup reference blocks will not have an impact on the encrypted data on media itself. 




Is the goal to no longer have the jobs with old encryption still on media? 


What you could do to work through this situation is to create a new secondary copy with the 730 day retention (with the new encryption requirement enabled), and copy over all the older jobs that would qualify. You can then manually age the copied jobs from the original copy.

(If you have concerns on this, I would suggest raising a case with support so you can have us check and allow you to be confident in the changes being made)


This would achieve;
1. Allow all new jobs to write using the new encryption settings going forward

2.Having the old jobs acquire the new encryption settings (by being copied to a new storage policy copy) and still being retained for the same duration. 




Please let me know if you find this information helpful! If you have any further questions or concerns, please feel free to reach out once more. 

Userlevel 4
Badge +11

Thank you @Christian - Support for the well explained answer.
I think we need to go the route of creating a new Auxcopy and path to accomplish our needs.

Userlevel 2
Badge +4

Thank you @Christian - Support for the well explained answer.
I think we need to go the route of creating a new Auxcopy and path to accomplish our needs.

Happy to help!

Thank you for reaching out to the Commvault Community Forms.