Use this dialog box to select data encryption options for the selected client. These settings will only impact supported agents residing on the client. Refer to Books Online for a complete listing of products that support data encryption.
Encrypt Data
When selected, enables data encryption options for the selected client.
Data Encryption Algorithm
Displays the ciphers available for data transfer.
Displays the key lengths available for the selected cipher. Note that the key length options displayed will vary according to the selected cipher.
Restore Access
This group of settings specifies CommServe encryption key management policy, i.e., how the encryption keys are stored and accessed in the CommServe database.
When selected, encryption keys are stored in the CommServe database unlocked, and encrypted data can be recovered without providing a pass-phrase. Use this mode only if you trust your CommServe, and have some other mechanisms to protect it from unauthorized access.
Initially enabled after selecting Direct Media Access option Via a Pass-Phrase.
When selected, encryption keys are locked with a user-supplied pass-phrase before being stored in the CommServe database. Even if the database has been compromised, the encryption keys are still unusable without the pass-phrase. Note that in this mode encrypted data cannot be recovered without entering a correct pass-phrase.
Do not choose a trivial or one-word pass-phrase. Remember that in this mode it is the pass-phrase that defines the security of your data. The more elaborate it is, the less likely it can be picked by a third-party.
WARNING: Loss of the pass-phrase signifies loss of all data previously protected. |
If you want to recover encrypted data without having to provide the pass-phrase for every recovery operation, you can export the source computer's pass-phrase to a destination computer.
Enable Synthetic Full
When selected, indicates that synthetic full data protection jobs can be performed when data encryption is enabled. Since running synthetic full data protection operations involves recovering data to a temporary buffer in memory, such data protection operations need a pass-phrase to access data encryption keys in the CommServe database.
If you want the convenience of scheduling Synthetic Full data protection operations at the expense of slightly weaker security, leave this option enabled. This will create another instance of unlocked encryption keys in the CommServe database, which can be used by synthetic full data protection operations only.
Alternatively, you can clear this option and then export the pass-phrase to the MediaAgent computer in which the Synthetic Full job is run.
Direct Media Access (Media Explorer)
The following options are available for key management, which is useful for recovering data using Media Explorer. Note that by default a copy of the encryption key is stored in the CommServe Database Engine and will be used by all data recovery operations using the CommCell Console.
When selected, this specifies that a copy of the encryption key will be stored in the media. Enabling this option will ensure that the data is retrievable using Media Explorer.
Be sure to specify a valid Media Password when selecting this option. |
When selected, encryption keys are locked with the user-supplied pass-phrase before being stored on the storage media. This mode is much more secure than Via Media Password, as the keys cannot be recovered without the pass-phrase. When trying to recover such data with Media Explorer, you are prompted to provide the correct pass-phrase.
When selected, encryption keys will not be stored on the storage media at all. This represents the highest media security level as even Media Explorer will not be able to recover data (regular GUI/Database-driven recovery operations will still work).
Pass-Phrase
Enabled after an initial pass-phrase has been configured.
When selected, opens the Reset Pass-Phrase dialog box.
Enabled after an initial pass-phrase has been configured.
When selected, opens the Export Pass-Phrase dialog box.