Solved

How to show if my backups are encrypted


Userlevel 4
Badge +15

The auditors want to see if my backups are encrypted and I’m not sure where to go in the CommVault GUI to show that.  I don’t see anything about encryption in the properties for my storage libraries or my storage policies.  Where do I show whether or not my backups are encrypted?

Ken

icon

Best answer by Mike Struening RETIRED 27 July 2021, 17:20

View original

17 replies

Userlevel 6
Badge +13

These reports will indicate encryption:

 

Data Encryption - Reports (commvault.com)

Userlevel 4
Badge +15

Umm, @Aplynx, thank you for that.  The auditors are asking for a screen capture showing the configuration when encryption is either step or not set.  The reports show my backups are not encrypted but that’s not what the auditors are asking for.

Ken

Userlevel 6
Badge +13

There are multiple places where encryption can be enabled using hardware or software.

 

Encrypting Backup Data (commvault.com)

Userlevel 4
Badge +15

@Aplynx I’m confused.  When I go into Home > Control Panel > System > Encryption, the “Encrypt Data” option is not selected.  When I right click on a client > properties > Advanced > Encryption, the “Encrypt Data” option is not selected.  When I go into Policies > Storage Policies > select a storage policy > right-click on a copy within > Properties > Advanced, the “Encrypt Data” option is unchecked (and greyed out).  When I go into Storage Resources > right-click on a deduplication engine > Properties > Advanced, the “Encrypt Data in primary copy” is not selected.  So far, everything indicates my backups are not encrypted.  

But if I go to a client > agent > backupset > right-click on a subclient > Properties > Advanced >Encryption, the selected option is “Network and Media (Agent Side). 

So … I’m not clear.  What is it that’s being encrypted at the subclient level?

Ken

Userlevel 4
Badge +15

 

 

The help for this page says: 

Network and Media (Agent Side)

When selected, for backup operations, data is encrypted before transmission and is stored encrypted on the media.

Userlevel 7
Badge +23

@Ken_H , there’s a few places you can set encryption, and a few ways to have it done.

You can encrypt at the Storage Policy level, or client level, or more.

When you set encryption, up you have a few options:

  • Media Agent side - encrypts on library, but not when sending data over the network
  • Network and Media - Encrypts what is sent over the network AND on the media as well
  • Network only - Encrypts what is sent over the network, but not on the media

Essentially, what you are seeing in your browsing is that there are multiple ways to encrypt data and multiple levels to apply it at.

Sounds like you have it at the subclient level and are encrypting what is sent over the network AND on the library/media.

Userlevel 4
Badge +15

So even though the reports identified by @Aplynx show the backups as not being encrypted, because all the subclients are set to “Encryption: Network and Media”, then my backups _are_ encrypted?  

Ken

Userlevel 7
Badge +23

@Ken_H , I just noticed something on this page.

do you have it on the client itself?  Tge subclient level is a further level to enable/disable but the client needs it enabled as well

https://documentation.commvault.com/commvault/v11_sp20/article?p=7769.htm

Userlevel 4
Badge +15

The client is set to Use Storage Policy Settings

 

Userlevel 7
Badge +23

Hey @Ken_H , sorry about the delayed reply (was ooo).

So it looks like your subclient has it enabled, but the Client itself is saying “ask the Storage Policy” which has it disabled:

 When I go into Policies > Storage Policies > select a storage policy > right-click on a copy within > Properties > Advanced, the “Encrypt Data” option is unchecked (and greyed out).

You can change it in either place, and then run a full to see the encryption take place.

Userlevel 1
Badge +4

Hello,
I have a very similar question about encryption. And a little bit of confusion in my head ;)

The option at the client level and the storage policy level suggest that it only about data encryption on the media (because we can choose whether the keys are to be on the media or not). Does this also apply to network transmission encryption? If so, the "direct media access" options are a little confusing… maybe they do not apply?

What then will be effectively done when:

1. subclient level : "Network and Media" option checked (default)
    client: encryption disabled
    storage policy: encryption disabled

Will data be encrypted? Will data transmission be encrypted?

2. subclient level : "Network Only" optoin checked
    client level: encrypt data with following settings: via media password or no access (dosn’t metter)
    storage policy: encryption disabled

will data be encrypted, will data transmission be encrypted?

3. subclient level : "Network and Media" option checked (default)
    client: encryption disabled
    storage policy: encryption disabled
    but! the client is connected via Network Topology with the option "encrypt network trafiic" enabled

Will the data transmission be encrypted?

How to check if transmission between backup client and backup server/media agent are encrypted?

 

 

Userlevel 2
Badge +8

I had another question relating to Encryption because Commvault anyways stored data in its own Proprietary format so even if a person were to take a copy of data how would he/she would be able to make sense of the data unless you have access to the same Commserve database.  

 

Userlevel 7
Badge +23

Hello,
I have a very similar question about encryption. And a little bit of confusion in my head ;)

The option at the client level and the storage policy level suggest that it only about data encryption on the media (because we can choose whether the keys are to be on the media or not). Does this also apply to network transmission encryption? If so, the "direct media access" options are a little confusing… maybe they do not apply?

What then will be effectively done when:

1. subclient level : "Network and Media" option checked (default)
    client: encryption disabled
    storage policy: encryption disabled

Will data be encrypted? Will data transmission be encrypted?

2. subclient level : "Network Only" optoin checked
    client level: encrypt data with following settings: via media password or no access (dosn’t metter)
    storage policy: encryption disabled

will data be encrypted, will data transmission be encrypted?

3. subclient level : "Network and Media" option checked (default)
    client: encryption disabled
    storage policy: encryption disabled
    but! the client is connected via Network Topology with the option "encrypt network trafiic" enabled

Will the data transmission be encrypted?

How to check if transmission between backup client and backup server/media agent are encrypted?

 

 

Let me see if I can answer this (and I may split this into its own thread for better tracking):

  1. The network ‘send’ will be encrypted, but not the media.
  2. The client backup data will encrypt on the client end for any Storage Policy with encryption enabled
  3. Yes

You can run a Job Summary report for the jobs and any encrypted job will show any ‘E’.

The best page top get a fuller understanding is the first landing page here.  Essentially you set it at the Storage Policy level, then filter on or off per client and subclient (because you may want only some clients within a SP, and only some subclients within a Client):

https://documentation.commvault.com/commvault/v11_sp20/article?p=105324.htm

Configuring Software Encryption

You can configure default software encryption settings at global level that are applied to the new storage policies and storage policy copies. For more information, see Configuring Global Level Software Encryption Settings.

You can configure software encryption for different entities in a CommCell environment.

CommCell Entity

Configuration

Configuring Software Encryption on a Storage Policy

Configure encryption on a storage policy to protect the data. You can opt to use third party encryption. Also, you can configure different settings for the primary copy and the secondary copy.

Configuring Software Encryption on a Client

The client computer uses the encryption settings of the storage policy that the client is associated with. You can configure different settings for the client or opt not to encrypt the data

Configuring Software Encryption on a Subclient or an Instance

Configure to use one of different encryption options where the encryption settings of the client are used to protect the data. You can also opt not to encrypt the data.

Configuring Software Encryption on a Replication Set

Configure encryption to encrypt data on the source computer, to encrypt replicated data across the network to the destination computer, and to decrypt data on the destination computer.

Userlevel 1
Badge +4
Mike Struening - thank you for clarifications!!!
 
 
 
 
 
Badge

Please check this video for a detailed explanation wrt encryption in commvault.

 

Userlevel 2
Badge +12
Hello!
Is there any way to calculate the extra CPU overhead to MAs, after enabling encryption?
Userlevel 7
Badge +19

By default, there is no overhead on the MA as the encryption and decryption is taking place on the client. In addition, if supported, it will take advantage of the ability to offload these tasks to the CPU. 

Reply