Solved

Is it encrypted or not?

  • 5 May 2023
  • 3 replies
  • 160 views

Badge +6

So, I’m confirming whether or not I have encrypted backup data in my inheirited environment.

I’ve run the reports at:
https://documentation.commvault.com/11.24/expert/7865_data_encryption_reports.html

and not seen anything indicating encrypted backups (hardware or software).  Specifically, nothing with the superscript “e1” on the Storage Information report or “E” on the “Jobs in Storage Policy Copy” report. 

 

I’ve followed this useful link:

… to find:

Ok.  Go to the global dedup policy:
 

This suggests that I’m NOT encrypted.  

 

However, if I go to one of the clients, I see:

 

Looking at the help file for this dialog, I see:
 

 

The reports and policies seem to indicate that nothing’s encrypted at rest.  The client states that the data’s encrypted over the wire and on media somewhere.  

 

Which one is correct? =)

icon

Best answer by Damian Andre 6 May 2023, 02:20

View original

3 replies

Userlevel 7
Badge +21

Hi @roc_tor,

Love this post - great detail!

Encryption works in a hierarchy so you can have very granular control over what gets encrypted. The setting on the client there allows you to opt-out of encryption data on that client - however encryption will not occur unless you have configured it on the copy or DDB level. As you can see there is no setting for the cypher and key length on the client level - so that all has to be configured elsewhere.

DDB is the highest level, and will encrypt all data associated with the DDB - i.e you can have multiple storage policies linked to the same DDB, and all of those will be encrypted.

The next level down is encryption on the storage policy level, allowing you granular control for data going to that single storage policy - say if you want one storage policy encrypted but another not.

The client settings give you can option to override both, say you want all data in the storage policy encrypted, except for that one client. I believe there is yet another level on the subclient as well.

So in your case, the report is right, there is no encryption occurring at rest, and you need to decide if you want to encrypt all blocks associated with the DDB by default, or just singular storage policies.

Badge +6

Great!  Thank you very much for the quick lesson.  

 

So that leads to another question:  I turn on encryption at the Dedupe level.  Thus, blocks are now encrypted.  This would mean ALL the blocks are now different, yes?  Which means.. I’m effectively doubling all the blocks in the dedupe and disk libraries until this new pardigm takes over and the old data ages out, yes?

Badge +6

Answer:  It’ll start to encrypt from this day forward.  That which was unencrypted before will stay that way and be aged out, as I thought.  But anything new will be encrypted.  Realistically - “new”, in incrementals, is new data anyway.  Can’t wait to see what happens with the Synthetic Fulls...

 

https://documentation.commvault.com/2022e/expert/7766_configuring_software_encryption_on_client.html

 

Note:

  • Deduplication happens before data encryption. If different client computers with encryption enabled and encryption disabled use the same deduplication enabled storage policy, then the backup data from encryption enabled client computer may refer to the already backed up and unencrypted data. In such case, not all the data that is referenced by the encryption enabled client computer is actually encrypted on the disk. Encryption must enabled on all the client computers from the beginning to ensure that all backup data is encrypted.”

Reply