What is the proper process for changing KMS servers for backups? (Built-in to Azure Key Vault)

Badge +2

Currently our client is using the built-in KMS server which stores encryption keys in the Commvault Database. As far as I can find, there is no way to extract these keys.

We are looking to transition to Azure Key Vault for storing these keys. It is very easy to change the KMS server, but in theory this would leave us unable to access the previous backups as we technically do not have access to those keys for decryption.

I have searched this extensively and there is no documentation for this (confirmed via Commvault support phone call). What is the proper process for changing the KMS server on a backup location, particularly the built-in KMS server over to a third-party, without losing access to backups?


I did find 1 forum post stating this “just works”, but I need to provide some kind of concrete answer for my higher-ups to be happy.


Thank you in advance!


Best answer by Emils 11 July 2023, 02:34

View original

2 replies

Userlevel 4
Badge +12

Hi @Virtuas Jake 

Thanks for reaching out. I’ve reviewed the documentation and it mentions:


If you enabled third-party key management server on a deduplicated storage policy or copy, do not delete the third-party key associated with the deduplicated storage policy because for deduplicated data, the data blocks are referenced by multiple jobs. For more information, see How Deduplication Works.

If the key is deleted, the data associated with the deduplicated storage policy or copy will not be recoverable. In this situation, you need to create a new storage policy or copy and re-associate all subclients to new storage policy. For instructions on re-association, see Associating Subclients to a Different Storage Policy.


So as long as the original keys are kept the old backups will remain as is.


Badge +1

Hi @Virtuas Jake,


  1. Create the new Azure Key vault KMS from Commvault control panel.
  2. Go to copy property and change the KMS from Built-in to newly created key vault KMS.
  3. All existing DEK (data encryption key) will be encrypted using the new key from Key Vault.
  4. There will be no impact on existing data (dedupe, non-dedupe). You can restore existing data.


To answer your query, currently there is no way to export keys from Built-in because you need not to export keys to change KMS.