Question

Encryption behavior when performing tape out from encrypted HPE StoreOnce Store

Forum|Forum|15 days ago
February 6, 2026
3 replies
31 views

+16

Nikos.Kyrm
Community All Star

Hi everyone,

I asked Arlie about encryption handling when doing auxiliary copy (tape-out) from an encrypted HPE StoreOnce Catalyst Store https://support.hpe.com/hpesc/public/docDisplay?docId=sd00003761en_us&page=GUID-6D031310-DD0A-46AC-96E5-3B3F843EEA63.html.

According to Arlie, if the tape storage policy copy is set to "Preserve encryption mode as in source" (the default), the encrypted backup data from StoreOnce should remain encrypted when written to tape—no decryption/re-encryption needed.

However, I'm opening this thread for real-world confirmation from folks running this in production. Does the encryption truly persist end-to-end from StoreOnce to tape in a real scenario? For the HPE MSL G3 tape library (which supports hardware encryption via encryption stick), is the StoreOnce software encryption sufficient on its own, or are there best practices requiring the hardware encryption stick to be enabled?

Looking for experiences and best practices on whether the StoreOnce encryption carries over cleanly without needed hardware tape encryption.

Appreciate any practical experiences from your setups!

Best regards,
Nikos

+27

Damian Andre
Vaulter
Forum|Forum|2 days ago
February 19, 2026

Hey @Nikos.Kyrm,

Trying to get confirmation on this but HPE has its own format for writing and encrypting data. We hand over our data and there is some blackbox magic that HPE uses to store and encrypt it.

In that regard, I do not think we can read HPE data as encrypted and pass that directly to the tape, since it would not be in our format. I believe the HPE device would give us the unencrypted data stream and we’d have to re-encrypt that either through hardware or software methods.

Like

+16

Nikos.Kyrm
Author
Community All Star
Forum|Forum|2 days ago
February 20, 2026

Hello @Damian Andre and all,

I just received a super useful detailed analysis from Viniss, Commvault technical support:

------------------------------------------------------------------------------------------------------------------------

If StoreOnce native (hardware) encryption is enabled, data is encrypted at rest on StoreOnce.

https://documentation.commvault.com/11.40/commcell-console/best_practices_for_hpe_storeonce_catalyst_library.html

However, when data is copied out to tape (auxiliary copy), the encryption does not automatically persist end-to-end unless tape encryption is also enabled.

The data sent to tape is decrypted by StoreOnce and then written to tape according to the tape library’s encryption settings.
If tape hardware encryption is not enabled, the data on tape will be unencrypted even if it was encrypted on StoreOnce.

Best Practices: Tape Encryption
HPE MSL G3 Tape Library (with encryption stick):

To ensure data is encrypted on tape, enable hardware encryption on the tape library.
The encryption stick (hardware key management) must be enabled/configured for tape hardware encryption to function.
This is the recommended and supported method for tape encryption, as it provides strong security and compliance.
https://documentation.commvault.com/v11/commcell-console/hardware_encryption.html

https://documentation.commvault.com/v11/commcell-console/comparison_of_software_and_hardware_encryption.html

StoreOnce Software Encryption:

StoreOnce software encryption only protects data at rest on StoreOnce.
It does not provide end-to-end encryption for tape out unless tape hardware encryption is also enabled.

Commvault Software Encryption:

If you require end-to-end encryption and cannot use tape hardware encryption, you may enable Commvault software encryption for the auxiliary copy to tape.
However, best practice is to use hardware encryption on tape for performance and compliance.

------------------------------------------------------------------------------------------------------------------------

Hope this helps!

Best regards,
Nikos