Skip to main content

Hi Community,

Was exploring this setting from security point  , had few doubts.

https://documentation.commvault.com/11.24/expert/125170_encrypting_network_traffic_at_commcell_level.html

  1. Does Encrypt network traffic at the CommCell level means we are encrypting communication which is happening within Commserve ( i guess communication with CS database ) and this setting doesn't concern about the communication between CS and Media agents or Clients ? if this is not the case , what type traffic actually we are encrypting using this setting and how can i check if my current traffic within CS is not encrypted ?
  2. An real example if i dont enable this setting , what could be the possible impact to my CS .
  3. What changes will happen to my CS after enabling this settings , any impact to backups and restores , dedupe , aux copies etc ?
  4. If i enable this setting and do not perform next steps which are Enforcing and Encrypting Automatic Tunneling to clients and  encrypt backup data , does enabling this setting will make any difference from security point.
  5.  https://documentation.commvault.com/11.24/expert/143327_enforcing_and_encrypting_automatic_tunneling.html
  6. https://documentation.commvault.com/11.24/expert/7759_encrypting_backup_data.html

There’s other traffic types that are not backup and recovery related.  Think reports, viewing logs, etc.  That’s what gets encrypted at the CommCell level.  the stuff that’s not just a client to MA backup or restore.


@Mohit Chordia 

What Mike means is that not only will backup and recovery traffic be forced to use https, but any communication between the commserve and clients or media agent and clients or commserve and media agents will also be forced to use https as well.

If you are already using encryption thru the storage policy settings, this is just another layer of encryption on top of what is already configured. 


Hi Mohit, let me try the analogies below… 

===================Question #1:

Can you please confirm which data over wire are you talking about in reference to force_incoming_https key added at commserve level , is it backup recovery traffic which is from client to MA and vice-versa or only CS traffic such as reporting , send logs etc .

----------------

When the CS says to the MediaAgent... "Hello MediaAgent, are you online?" 
When the CS says to the Clients... "Hello Clients, are you online?" 
When Clients send communications to the Commserve and MediaAgent saying "I am online.", "Here is the data.", 
When the MediaAgent sends messages to the Commserve like "I've pruned archive chunks XXXXX". 

The communication is encrypted. 

==================Question #2:

I see an option to encrypt both network and media at sub client level. If i enabled encryption at Commserve (CS) level through force_incoming_https key, do i need to enable encryption only at media for sub client. considering transit encryption is taken care by force_incoming_https key which is added at CS level ?

----------------
Let's me try to put it this way... You enable force_incoming_https at the CS level. 

Sample#A
When the CS says to the MediaAgent "Hi MediaAgent are you online?" | Eg; the message is encypted over the wire... Network traffic appears as "lkasjfopiuwernsmnlvsmancojhcwjeanr". (This is just an example) | MediaAgent receives and translates "Hi MediaAgent are you online?" 

… … 
MA then response back "I'm online." | Eg; the message is encypted over the wire... Network traffic appears as "lkasjfopiuaskfjdpowierwernsmnlvsmancojhcwjeanr". (This is just an example) |  CS receives the message and decrypts "I'm online."

----------------

Sample#B
When a client backup runs,  The Clients sends Word.DOC. | Eg; the message is encrypted over the wire... Network traffic appears as "a0987241kn102jasfdh086613091aslkr". (This is just an example) | MediaAgent (MA) receives the message and decrypts and reads Word.DOC. The MA then writes to the tape Word.DOC. 

-------------
Now... if you enable encryption only at Media (in addition to the force_incoming_https at the CS level.)

Sample#C
When a client backup runs,  The Clients sends Word.DOC. | Eg; the message is encrypted over the wire... Network traffic appears as "a0987241kn102jasfdh086613091aslkr". (This is just an example) | MediaAgent (MA) receives the message and decrypts and reads Word.DOC. The MA then writes to the tape "10984lanaslflaspoidyfknwernakjshaidfhwmer". 

----------------

Paste the above in a Notepad without Wordwrap… it looks better :) 

Hope this helps. 


@Ray Han

Thank you . I guess i understand the role of this additional setting now.:slight_smile:

By adding force_incoming_https at the CS level , this will encrypt all the traffic whether it is backup recovery or anything else at transit . To enable encryption at rest , i can choose storage policy encryption.

Regards, Mohit


Hey @Mohit Chordia 

 

network traffic at the CommCell level means we are encrypting communication which is happening within Commserve ( i guess communication with CS database ) and this setting doesn't concern about the communication between CS and Media agents or Clients ? if this is not the case , what type traffic actually we are encrypting using this setting and how can i check if my current traffic within CS is not encrypted ?

This enforces encryption across all network routes, even for say, a client to a Media Agent.

 

  1. An real example if i dont enable this setting , what could be the possible impact to my CS 

Unencrypted network traffic means that somebody could ‘snoop’ on the data being transferred on the network. Since commvault chunks up data, will compress and even deduplicate it at the client side, I think it would take some serious effort to get anything usable by doing so, but we don’t leave that up to chance and provide an option to encrypt it. Encryption has a performance penalty, of course - so you can expect some performance degradation by mandating network encryption for everything.

 

  1. What changes will happen to my CS after enabling this settings , any impact to backups and restores , dedupe , aux copies etc

 

 As above - there will be a performance penalty. You can try to mitigate the impact it somewhat by increasing the number of tunnels for a network route.

 

 

  1. If i enable this setting and do not perform next steps which are Enforcing and Encrypting Automatic Tunneling to clients and  encrypt backup data , does enabling this setting will make any difference from security point.

 

If you don't have network routes set up for everything and a limited network is detected (i.e some ports are blocked), then commvault will try to tunnel all traffic using automatic tunneling. Without a network tunnel some data is not encrypted over the network - by forcing tunneling and forcing encryption, you can be sure that all network traffic will be encrypted even if you did not set network routes. If you use the enforcement of tunneling make sure port 8403 is open everywhere or communication could fail.

Without network routes the various services and executables communicate with each other on random ports, mostly without encryption. Tunneling gives you the option to encrypt all traffic.


@Damian Andre :

If i have enabled encryption at storage policy or at client/sub-client level for both network and media.

Will these settings give us something extra which the encryption settings at storage policy and sub client doesn't offer ? 


@Mohit Chordia , they are just different.  Do you want to encrypt the traffic over the network, the media itself, or both?

As @Damian Andre said, you can enable everything across the board.  the only penalty is performance.


@Mike Struening , I read the blog. I have a similar requirement to encrypt every area in the commvault like network, media and data at transit and rest.

 

Media and data - if the the storage policy has encryption enabled I assume this is covered. 

Enabling encryption at the commcell - what are the additional consideration which we will have to look for . Please suggest.

 

 


@Commvualt Team ABB , setting this option here will force all traffic over https:

https://documentation.commvault.com/11.24/expert/125170_encrypting_network_traffic_at_commcell_level.html

Other than the expected performance drop due to https being a more complex protocol, you shouldn’t expect any further complications.


@Commvualt Team ABB @Mike Struening 

If i have enabled encryption at storage policy level. Why should i enable this setting at CommCell Level.

Do i have any advantages which Iam not getting by enabling encryption at storage policy layer ?

@Mike Struening You are saying that --

setting this option here will force all traffic over https:

What is this all traffic apart from backups and recovery traffic which we are encrypting by enabling encryption at storage policy level ? 


@Mike Struening @HolowEd 

Thanks for the reply .

Question →

If i don't enable encryption at storage policy or at client or at sub client level and just enable mandateEncryption at CommCell level by adding this additional setting. Does that mean all my traffic (backup,recovery,reporting,logs) etc is encrypted by adding this one setting at CS level ? If yes do i get an option similar to what we get at client or storage policy level to choose which type of encryption i want to implement and where to store my keys .

 

Screenshot from Client 

 


@Mohit Chordia , I think you’re seeing the difference right there.  CommCell level is for CommCell actions, so you don’t get many options.

If you want to specify a protocol for backup traffic, etc. then that’s the function you get at the client/SP level.

They aren’t the same thing at different levels, they are also encrypting different types of activity.


@Mike Struening 

Thanks for the reply . Iam summarizing my understanding below . Let me know i got it right -

  1.  If i added mandate encryption additional settings at CommCell level , this has nothing to do with backup recovery traffic . It only concerns with reporting , logs etc.
  1. There will not be any performance impact on backup and recovery by enabling mandate encryption additional settings since this settings doesn't deal with backup and recovery traffic from client to MA and vice versa ? 
  1. If i have to enable encryption for backup and recovery traffic , it has to be done at storage policy or client level . If i enable mandate encryption setting at CommCell level and don't enable encryption at client or storage policy layer my backup recovery traffic will never be encrypted .

Regards, Mohit


@Mohit Chordia There seems to be a bit of confusion. Allow me to try to clarify…

--------------------Response to “a”...

If you add the force_incoming_https key, this merely encrypts the data over the wire. At the receiving end, the information is then decrypted and the action performed. 

As mentioned here: https://documentation.commvault.com/11.24/expert/125170_encrypting_network_traffic_at_commcell_level.html

You can encrypt network traffic … 

When you are setting encryption at the Storage Policy, this means that the data written to your storage device remains encrypted at the Storage device eg; tape. 

--------------------Response to “2”.

Performance will degrade if/when encryption is enabled at any level. It just takes longer to process. Weather it be restore or backups, the process will appear slower. 

--------------------Response to “3”

The Commvault suite allow for encryption actions from the top (forcing the same to the lower entities), or from a granular level. If your site is internal and secure, you may want to forgo applying encryption internally to avoid the degradations mentioned. If you had machines that would go out to a DMZ or public, you may want to enable encryption for specific machines so as to make it harder for a breach. 

Understand that traffic encryption is not the same as when the data written to tape is encrypted. 

Hope this helps. 

 


@Ray Han summarized it well.  The CommCell level is just different than what you get at the other levels.  You DO get backup traffic encryption, along with other activity as well.  The various leveling options allow you to be specific in where you enforce encryption, and how.


@Mohit Chordia There seems to be a bit of confusion. Allow me to try to clarify…

--------------------Response to “a”...

If you add the force_incoming_https key, this merely encrypts the data over the wire. At the receiving end, the information is then decrypted and the action performed. 

As mentioned here: https://documentation.commvault.com/11.24/expert/125170_encrypting_network_traffic_at_commcell_level.html

You can encrypt network traffic … 

When you are setting encryption at the Storage Policy, this means that the data written to your storage device remains encrypted at the Storage device eg; tape. 

--------------------Response to “2”.

Performance will degrade if/when encryption is enabled at any level. It just takes longer to process. Weather it be restore or backups, the process will appear slower. 

--------------------Response to “3”

The Commvault suite allow for encryption actions from the top (forcing the same to the lower entities), or from a granular level. If your site is internal and secure, you may want to forgo applying encryption internally to avoid the degradations mentioned. If you had machines that would go out to a DMZ or public, you may want to enable encryption for specific machines so as to make it harder for a breach. 

Understand that traffic encryption is not the same as when the data written to tape is encrypted. 

Hope this helps. 

 

@Ray Han

Thanks for the reply -- 

--------------------Response to “a”...

If you add the force_incoming_https key, this merely encrypts the data over the wire. At the receiving end, the information is then decrypted and the action performed. 

Can you please confirm which data over wire are you talking about in reference to force_incoming_https key added at commserve level , is it backup recovery traffic which is from client to MA and vice-versa or only CS traffic such as reporting , send logs etc .

 

When you are setting encryption at the Storage Policy, this means that the data written to your storage device remains encrypted at the Storage device eg; tape. 

I see an option to encrypt both network and media at sub client level. If i enabled encryption at CS level through force_incoming_https key, do i need to enable encryption only at media for sub client. considering transit encryption is taken care by force_incoming_https key which is added at CS level ?

 

 

 Do you mean that i can encrypt my entire backup environment by performing two actions :

  1.  Add force_incoming_https key at CS level -- This will encrypt all my data in transit whether it is backup/recovery or any other traffic.
  2. Storage policy encryption -- to enable encryption at rest.

I understand the performance penalty which encryption will cost.