Topics | How To | Support | FAQ | Related Topics
Auxiliary Copy Operations and Encryption
The software allows encrypting data both for transmission over non-secure networks and for storage on media. The flexibility of key management schemes makes data encryption useful in a wide variety of configurations.
Encryption can be specified at three levels: client level (for backup), auxiliary copy level and hardware level. Client level encryption allows users to protect data prior to it leaving the computer. The data encryption keys are randomly generated per archive file. Additionally, they can be protected with a pass-phrase, which would be required for restoring the data. Auxiliary Copy level encryption encrypts data during auxiliary copy operations enabling backup operations to run at full speed. Here, data encryption keys are generated per storage policy copy of the archive file. Thus, if there are multiple copies in a storage policy, the same archive files in each copy gets a different encryption key. Individual archive files, however, will have different encryption keys. Note that the data encryption keys cannot be protected with a pass-phrase during auxiliary copy-level encryption. Hardware Encryption allows you to encrypt media used in drives with built-in encryption capabilities, which provides considerably faster performance than data or auxiliary copy encryption. The data encryption keys are generated per chunk on the media. Each chunk will have a different encryption key.
Data is encrypted according to the method you select when you Configure the Client for Data Encryption (client-level encryption) or Configure a Storage Policy Copy for Data Encryption (auxiliary copy-level encryption). You can select from several algorithms and key lengths, which are listed in the following table.
Data Encryption Algorithms
Cipher | Details | Block Size | Performance Rating* | Key Length Options |
Blowfish |
|
64 bits | 10 | 128, 256 bits |
AES (Advanced Encryption Standard) or Rijndael |
|
128 bits | 7
|
128, 256 bits |
Serpent |
|
128 bits | 8 | 128, 256 bits |
Twofish |
|
128 bits | 4 | 128, 256 bits |
3-DES (Triple Data Encryption Standard) |
|
64 bits | 1.5 | 192 bits |
*This performance rating is based on performance tests for the number of megabytes encrypted per second in a Windows environment with the CommServe software. The rating is on a scale of 1-10, 10 being the fastest. Results may vary depending on testing environment.
If you need network security only, configure encryption at the client level and select Network Only. The encryption keys are randomly chosen for every session. Data is encrypted on the Client and is decrypted on the MediaAgent and the keys are discarded at the end. The entire process is completely transparent. All you have to do is to enable encryption, and select the cipher and key length.
If you are concerned that media may be misplaced, data can be encrypted before writing it to the media and store the keys in the CommServe database. In this way, recovery of the data without the CommServe is impossible - not even with Media Explorer. This mode is also completely transparent. Once enabled, it will work requiring no additional activity on your part.
Additionally, encryption keys can be protected with your own pass-phrase before being stored in the database. If the database is accessed by unauthorized users, and the media is stolen, the data will still not be recoverable without the pass-phrase. This highest level of security comes at the price of having to enter the pass-phrase for every recovery operation and not being able to run synthetic full backups. But even this mode can further be customized to fit specific needs:
The Crypto Library module supports data encryption methods approved by the Federal Information Processing Standard (FIPS) as well as additional data encryption methods not approved by FIPS. To verify the method that the software is using, see Verify Data Encryption Method.
The National Institute of Standards and Technology has CommVault's certification under the list of Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules that have been tested using the cryptographic module validation program (CMVP).
Auxiliary copy operations can be configured for encryption when configuring a storage policy copy. This capability is useful in several scenarios:
When enabled, auxiliary copy encryption will encrypt any portion of the data that has not already been encrypted during a data protection operation. If any data on the source copy is already encrypted, the software will retain that data's existing encryption, unless configured to re-encrypt the data using a different data encryption algorithm.
The following table illustrates the data encrypted with auxiliary copy encryption:
The Storage Policy is: | Auxiliary Copy Encryption will: |
Not encrypted | Encrypt all data. |
Partially encrypted | Encrypt only the data that has not already been encrypted. |
Fully encrypted | Retain existing encryption, unless configured to use a different algorithm. |
All encryption keys are supported for auxiliary copy encryption and are created on an individual basis for each data protection operation. Refer to Data Encryption for more information on encryption keys.
In some cases, other encryption methods may be preferable to auxiliary copy encryption, such as:
You can configure data encryption for an auxiliary copy operation by selecting the Encrypt Data option from the appropriate storage policy copy's Properties dialog box. The data will then be encrypted once the auxiliary copy process is initiated for that storage policy.
During an auxiliary copy operation of encrypted data, you can also configure the copy to decrypt and re-encrypt the data. A different data encryption algorithm can be used when the data is re-encrypted. This is useful if data is compromised, company policy dictates it, data will be retained longer, thereby requiring a stronger encryption algorithm (more bits), or, on the contrary, the data will be retained for a shorter amount of time, thereby requiring a smaller algorithm (less bits).
For step-by-step instructions on configuring a storage policy for data encryption and starting the auxiliary copy, see the following:
The Auxiliary Copy Job Summary Report and Jobs in Storage Policy Copies Report will display the data that has been encrypted.
An Auxiliary Copy License is required for each MediaAgent.
Data being replicated can be encrypted between the source and destination computers.
When encryption is enabled, data is encrypted on the source computer, replicated across the network to the destination computer, and decrypted on the destination computer. Encryption for replication is specified on the Replication Set level, and applies to all of its Replication Pairs. For a given Replication Set, you can enable or disable encryption between the source and destination machines. See Configure the Replication Set for Data Encryption for step-by-step instructions.
For data encryption during a copyback/restore operation, you have to enable encryption on the computer which initiates the copyback/restore operation, in addition to enabling the encryption for a replication set. See Configure the Replication Set for Data Encryption for step-by-step instructions.
CDR on UNIX only supports the Blowfish cipher, and only a 128-bit key length. |
Once you have enabled encryption functionality at the client level, there are different approaches to backing out of the functionality. You need to be aware of the behaviors that result from each approach. Refer to Change Encryption Settings.
If an exported pass-phrase was not synchronized with the last source client's pass-phrase at the time encryption was disabled (setting change from With a Pass-Phrase directly to Disabled), subsequent recovery operations may present an erroneous message "Invalid pass-phrase specified. Please check the spelling and try again". If the data you are recovering was not encrypted, this message can be ignored as the recovery will run successfully. If the data was encrypted with pass-phrase protection, you will need to provide the correct (last) source client's pass-phrase.
When you disable encryption after having exported a pass-phrase, the exported file is not deleted. To remove the file, locate the <hostname>.pf file in the <software installation path>\PF folder that is named for the source client.
|
If you set up the following client and subclient encryption settings and never change them, the following chart indicates when a pass-phrase is required at recovery time:
Subclient Encryption Settings |
||||
Client Settings: Restore Access |
None |
MediaAgent Only |
Network and MediaAgent |
Network Only |
Disabled | N/A | N/A (except as noted) 1, 4, 5 | N/A (except as noted) 1, 4, 5 | N/A |
Regular | N/A | Recoverable without pass-phrase 2 | Recoverable without pass-phrase2 | Recoverable without pass-phrase |
With a Pass-Phrase (exported to a client) |
N/A | Recoverable without pass-phrase
3
(only to a client to which the pass-phrase has been exported) |
Recoverable without pass-phrase
3
(only to a client to which the pass-phrase has been exported |
Recoverable without pass-phrase |
With a Pass-Phrase (not exported to a client) |
N/A | Pass-Phrase REQUIRED | Pass-Phrase REQUIRED | Recoverable without pass-phrase |
Auxiliary copy operations support data encryption and can be configured when you Configure a Storage Policy Copy for Data Encryption. When storage policy copies are enabled for data encryption, the encryption takes place after the data protection operation during the auxiliary copy. If you do not configure the storage policy copy for data encryption, then when you run an auxiliary copy operation, the copy assumes the settings of the primary copy, which are set when you Configure the Client for Data Encryption. Therefore, if the primary copy data is encrypted, then the auxiliary copy data will be encrypted; and if the primary copy data is not encrypted, then the auxiliary copy data will not be encrypted. |
Changing the client Restore Access settings, resetting a pass-phrase or changing export settings effects encryption behaviors as follow:
|
Keep the following in mind when encrypting data:
If the CommServe and MediaAgent are upgraded to the current release, but the Client is not upgraded, the restored data from a secondary copy containing encrypted backups enabled using the auxiliary copy operation will not be supported until the Client is upgraded to the current release.
To verify the software and hardware encryption, create the following reports: Job Summary Report and Jobs in Storage Policy Copies Report. The reports will display the data that has been encrypted.
This feature requires a Feature License to be available in the CommServe® Server.
Review general license requirements included in License Administration. Also, View All Licenses provides step-by-step instructions on how to view the license information.