Restore and key management for hardware (Tape Drive) based encryption

  • 18 March 2021
  • 3 replies

Userlevel 2
Badge +8


If we encrypt our backup data by using hardware (tape drive) encryption, I wonder 

  1. Is the encryption dependent on the tape drives which perform the hardware encryption ?
  2. If the tape drives fail, will encrypted backup jobs become un-restorable from any replacement tape drives ?
  3. Will there be an encryption key needed for this type of encryption ?
  4. Who will manage the encryption key ? Commvault or tape drives or the tape library ?
  5. Is the key needed for restore each jobs from an encrypted backup job from the tapes ?



Best answer by Mike Struening RETIRED 19 March 2021, 15:17

View original

3 replies

Userlevel 7
Badge +23

@Keerthana SP 

Here’s your answers:

  1. Drives do the encryption but the library does the management of encryptions keys
  2. No, as long as its replaced with a drive that supports that encryption, library does key management
  3. If you’re going with the hardware vendor, everything is done through them
  4. Vendor/Tape Library
  5. Yes
Userlevel 2
Badge +8

Hi Mike,


What if the whole tape library goes down ? Will that make all encrypted data un-recoverable ?

I’d feel a bit more comfortable if the key can be managed by Commvault, even if it is a hardware based encryption…

According to the manual, it seems that key managed by Commvault is an option, provided that we don’t enable hardware vendor license for key management ?




Userlevel 7
Badge +23

@Kelvin , that is correct.  You can utilize CV to do all of the encryption for you.

Losing the hw keys is definitely going to result in a bad day.  Many customers keep the keys on a usb key, though you don’t want to lose that for the same reasons!

Depending on the vendor, things differ though so it’s best to see what your own vendor offers.