Skip to main content
Solved

Encryption Question

  • February 10, 2022
  • 1 reply
  • 2419 views

Mohit Chordia
Byte
Forum|alt.badge.img+11

When encryption is enabled on storage-policy or client or sub-client :

Does the data is encrypted on source clients and then encrypted data is transferred on network and stored as it is in backup library OR the unencrypted data is transferred over network and encryption happens at media agent side before storing the data in library .

 

 

Best answer by Mike Struening RETIRED

Hey @Mohit Chordia , hope all is well!

Much of it is spelled out here:

https://documentation.commvault.com/11.25/expert/7764_software_encryption.html

Depending on what you have set, you are either encrypting before the data is sent over the network, on the medias itself, or both.

Software encryption can be configured at the following levels:

  • Client (for backups)

    Encryption on client allows you to select which encryption cipher to use and where keys are stored. Encryption keys are stored in the CommServe database and optionally on the media itself.

  • Subclient (for backups)

    Encryption on subclient allows users to select if and where encryption is performed for the subclient data.

  • Replication Set (for ContinuousDataReplicator)

    Encryption on replication set allows you to protect replicated data as it transits the network.

  • Storage Policy Copy (for backups and auxiliary copy operation)

    Encryption on primary copy allows you to select which encryption cipher to use and where keys are stored for all the clients/subclients associated with it.

    Encryption data during auxiliary copy operations allows backup operations to run without the processing overhead of encryption. Encryption performed during an auxiliary copy operation is performed at the source MediaAgent. This provides transmission path security.

Decryption of the encrypted data will occur:

  • At the client during restore

  • On the source MediaAgent during synthetic full (decrypted or re-encrypted automatically)

  • On the source MediaAgent during auxiliary copy of deduplicated data (re-encryption on the source MediaAgent is an option requiring the auxiliary encryption license)

  • On the source MediaAgent during auxiliary copy if re-encryption is selected. (decrypted then re-encrypted with select algorithm)

View original
Did this answer your question?
If you have a question or comment, please create a topic

1 reply

Mike Struening
Vaulter
Forum|alt.badge.img+23

Hey @Mohit Chordia , hope all is well!

Much of it is spelled out here:

https://documentation.commvault.com/11.25/expert/7764_software_encryption.html

Depending on what you have set, you are either encrypting before the data is sent over the network, on the medias itself, or both.

Software encryption can be configured at the following levels:

  • Client (for backups)

    Encryption on client allows you to select which encryption cipher to use and where keys are stored. Encryption keys are stored in the CommServe database and optionally on the media itself.

  • Subclient (for backups)

    Encryption on subclient allows users to select if and where encryption is performed for the subclient data.

  • Replication Set (for ContinuousDataReplicator)

    Encryption on replication set allows you to protect replicated data as it transits the network.

  • Storage Policy Copy (for backups and auxiliary copy operation)

    Encryption on primary copy allows you to select which encryption cipher to use and where keys are stored for all the clients/subclients associated with it.

    Encryption data during auxiliary copy operations allows backup operations to run without the processing overhead of encryption. Encryption performed during an auxiliary copy operation is performed at the source MediaAgent. This provides transmission path security.

Decryption of the encrypted data will occur:

  • At the client during restore

  • On the source MediaAgent during synthetic full (decrypted or re-encrypted automatically)

  • On the source MediaAgent during auxiliary copy of deduplicated data (re-encryption on the source MediaAgent is an option requiring the auxiliary encryption license)

  • On the source MediaAgent during auxiliary copy if re-encryption is selected. (decrypted then re-encrypted with select algorithm)


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings