Question

Encryption questions

Forum|Forum|3 months ago
August 12, 2025
5 replies
46 views

+12

0ber0n
Byte

Hi Teams,

Something's confusing me, and I'd like to clarify. I see that encryption is enabled in the subclient configurations as "Network and Media (Agent Side).

The following explanation explains this: When selected, for backup operations, data is encrypted before transmission and stored encrypted on the media. During restore operations, data is decrypted by the client.
https://documentation.commvault.com/2023e/expert/advanced_subclient_properties_encryption.html

Encryption can also be enabled/disabled at the storage pool level. If I don't enable encryption at the storage pool level, won't Commvault still be considered to have encrypted the data as it's written?

What's the difference between these two?

Is data encrypted on the fly, and is the line between the Media Agent and the client secure?

+9

Jon Vengust
Vaulter
Forum|Forum|3 months ago
August 13, 2025

Hi 0ber0n,

When encryption is enabled at the storage pool level, the primary copy should automatically inherit the encryption settings set at the storage pool.

However, if encryption is not configured at the storage pool level (which it isn’t in your scenario), the backup will reference the encryption settings defined at the client/subclient level instead if applicable.

It’s a matter of hierarchy when it comes to which encryption rules the backup follows.

Like

0

+12

0ber0n
Author
Byte
Forum|Forum|3 months ago
August 13, 2025

Hi @Jon Vengust

Thanks for the information.

Is data encrypted on the fly, and is the line between the Media Agent and the client secure?

Like

+9

Jon Vengust
Vaulter
Forum|Forum|3 months ago
August 13, 2025

Hi 0ber0n,

What do you mean is data encrypted on the fly? Data is encrypted and decrypted when a write or read request is made by an eligible operation (whether on-demand or scheduled).

Regarding data in transit (sent over the network), it is managed and secured using TLS 1.2 connections.