The auditors want to see if my backups are encrypted and I’m not sure where to go in the CommVault GUI to show that. I don’t see anything about encryption in the properties for my storage libraries or my storage policies. Where do I show whether or not my backups are encrypted?
Umm, @Aplynx, thank you for that. The auditors are asking for a screen capture showing the configuration when encryption is either step or not set. The reports show my backups are not encrypted but that’s not what the auditors are asking for.
Ken
There are multiple places where encryption can be enabled using hardware or software.
@Aplynx I’m confused. When I go into Home > Control Panel > System > Encryption, the “Encrypt Data” option is not selected. When I right click on a client > properties > Advanced > Encryption, the “Encrypt Data” option is not selected. When I go into Policies > Storage Policies > select a storage policy > right-click on a copy within > Properties > Advanced, the “Encrypt Data” option is unchecked (and greyed out). When I go into Storage Resources > right-click on a deduplication engine > Properties > Advanced, the “Encrypt Data in primary copy” is not selected. So far, everything indicates my backups are not encrypted.
But if I go to a client > agent > backupset > right-click on a subclient > Properties > Advanced >Encryption, the selected option is “Network and Media (Agent Side).
So … I’m not clear. What is it that’s being encrypted at the subclient level?
Ken
The help for this page says:
Network and Media (Agent Side)
When selected, for backup operations, data is encrypted before transmission and is stored encrypted on the media.
@Ken_H , there’s a few places you can set encryption, and a few ways to have it done.
You can encrypt at the Storage Policy level, or client level, or more.
When you set encryption, up you have a few options:
Media Agent side - encrypts on library, but not when sending data over the network
Network and Media - Encrypts what is sent over the network AND on the media as well
Network only - Encrypts what is sent over the network, but not on the media
Essentially, what you are seeing in your browsing is that there are multiple ways to encrypt data and multiple levels to apply it at.
Sounds like you have it at the subclient level and are encrypting what is sent over the network AND on the library/media.
So even though the reports identified by @Aplynx show the backups as not being encrypted, because all the subclients are set to “Encryption: Network and Media”, then my backups _are_ encrypted?
Ken
@Ken_H , I just noticed something on this page.
do you have it on the client itself? Tge subclient level is a further level to enable/disable but the client needs it enabled as well
Hey @Ken_H , sorry about the delayed reply (was ooo).
So it looks like your subclient has it enabled, but the Client itself is saying “ask the Storage Policy” which has it disabled:
When I go into Policies > Storage Policies > select a storage policy > right-click on a copy within > Properties > Advanced, the “Encrypt Data” option is unchecked (and greyed out).
You can change it in either place, and then run a full to see the encryption take place.
Hello, I have a very similar question about encryption. And a little bit of confusion in my head ;)
The option at the client level and the storage policy level suggest that it only about data encryption on the media (because we can choose whether the keys are to be on the media or not). Does this also apply to network transmission encryption? If so, the "direct media access" options are a little confusing… maybe they do not apply?
Will data be encrypted? Will data transmission be encrypted?
2. subclient level : "Network Only" optoin checked client level: encrypt data with following settings: via media password or no access (dosn’t metter) storage policy: encryption disabled
will data be encrypted, will data transmission be encrypted?
3. subclient level : "Network and Media" option checked (default) client: encryption disabled storage policy: encryption disabled but! the client is connected via Network Topology with the option "encrypt network trafiic" enabled
Will the data transmission be encrypted?
How to check if transmission between backup client and backup server/media agent are encrypted?
I had another question relating to Encryption because Commvault anyways stored data in its own Proprietary format so even if a person were to take a copy of data how would he/she would be able to make sense of the data unless you have access to the same Commserve database.
Hello, I have a very similar question about encryption. And a little bit of confusion in my head ;)
The option at the client level and the storage policy level suggest that it only about data encryption on the media (because we can choose whether the keys are to be on the media or not). Does this also apply to network transmission encryption? If so, the "direct media access" options are a little confusing… maybe they do not apply?
Will data be encrypted? Will data transmission be encrypted?
2. subclient level : "Network Only" optoin checked client level: encrypt data with following settings: via media password or no access (dosn’t metter) storage policy: encryption disabled
will data be encrypted, will data transmission be encrypted?
3. subclient level : "Network and Media" option checked (default) client: encryption disabled storage policy: encryption disabled but! the client is connected via Network Topology with the option "encrypt network trafiic" enabled
Will the data transmission be encrypted?
How to check if transmission between backup client and backup server/media agent are encrypted?
Let me see if I can answer this (and I may split this into its own thread for better tracking):
The network ‘send’ will be encrypted, but not the media.
The client backup data will encrypt on the client end for any Storage Policy with encryption enabled
Yes
You can run a Job Summary report for the jobs and any encrypted job will show any ‘E’.
The best page top get a fuller understanding is the first landing page here. Essentially you set it at the Storage Policy level, then filter on or off per client and subclient (because you may want only some clients within a SP, and only some subclients within a Client):
You can configure default software encryption settings at global level that are applied to the new storage policies and storage policy copies. For more information, see Configuring Global Level Software Encryption Settings.
You can configure software encryption for different entities in a CommCell environment.
Configure encryption on a storage policy to protect the data. You can opt to use third party encryption. Also, you can configure different settings for the primary copy and the secondary copy.
The client computer uses the encryption settings of the storage policy that the client is associated with. You can configure different settings for the client or opt not to encrypt the data
Configure to use one of different encryption options where the encryption settings of the client are used to protect the data. You can also opt not to encrypt the data.
Configure encryption to encrypt data on the source computer, to encrypt replicated data across the network to the destination computer, and to decrypt data on the destination computer.
Please check this video for a detailed explanation wrt encryption in commvault.
Hello!
Is there any way to calculate the extra CPU overhead to MAs, after enabling encryption?
By default, there is no overhead on the MA as the encryption and decryption is taking place on the client. In addition, if supported, it will take advantage of the ability to offload these tasks to the CPU.