Hey @Mohit Chordia , hope all is well!
Much of it is spelled out here:
https://documentation.commvault.com/11.25/expert/7764_software_encryption.html
Depending on what you have set, you are either encrypting before the data is sent over the network, on the medias itself, or both.
Software encryption can be configured at the following levels:
-
Client (for backups)
Encryption on client allows you to select which encryption cipher to use and where keys are stored. Encryption keys are stored in the CommServe database and optionally on the media itself.
-
Subclient (for backups)
Encryption on subclient allows users to select if and where encryption is performed for the subclient data.
-
Replication Set (for ContinuousDataReplicator)
Encryption on replication set allows you to protect replicated data as it transits the network.
-
Storage Policy Copy (for backups and auxiliary copy operation)
Encryption on primary copy allows you to select which encryption cipher to use and where keys are stored for all the clients/subclients associated with it.
Encryption data during auxiliary copy operations allows backup operations to run without the processing overhead of encryption. Encryption performed during an auxiliary copy operation is performed at the source MediaAgent. This provides transmission path security.
Decryption of the encrypted data will occur:
-
At the client during restore
-
On the source MediaAgent during synthetic full (decrypted or re-encrypted automatically)
-
On the source MediaAgent during auxiliary copy of deduplicated data (re-encryption on the source MediaAgent is an option requiring the auxiliary encryption license)
-
On the source MediaAgent during auxiliary copy if re-encryption is selected. (decrypted then re-encrypted with select algorithm)