Data Encryption - How To
Topics | How To | Support | Related Topics
Configure the Client for Data Encryption
Configure the Instance for Third-party Command Line Encrypted Operations
Configure the Replication Set for Data Encryption
Configure the Subclient for Data Encryption
Export an Encryption Pass-Phrase
Recover Encrypted Data (Regular)
Recover Encrypted Data (With a Pass-Phrase)
Configure a Storage Policy Copy for Data Encryption
Verify Data Encryption Method
To encrypt data during data protection and recovery operations
using the CommCell Console, you must
configure encryption at the client level first and then at the subclient level.
To
encrypt data during third-party Command Line operations, you must
configure encryption at the client level first and then at the instance level.
See Data
Encryption - Support for a list of supported
products.
Before You Begin
This procedure configures data encryption for all supported agents that reside on this
client, however, no content at any level (instance or subclient) will be encrypted until
the respective level's encryption property is
enabled.
Required Capability:
Capabilities and Permitted Actions
To
configure the client for data encryption:
- From the CommCell Console, right-click the Client and click Properties.
- From the client's
Client Properties (Encryption)
tab, select the Encrypt Data check box
to enable options.
- Select options based on the criteria described in the Encryption tab help.
- Click OK to save your settings and close client properties.
- If you elected pass-phrase security you must enter a pass-phrase in the
dialog box that appears.
|
- Situations for which you must export the pass-phrase:
-
To run scheduled data recovery operations
-
For the Migration Archiver Agents to run a Stub data recovery
-
For a third-party Command Line data recovery operations
|
Encryption settings made at the instance level for third-party Command Line
operations are not related in any way to settings made at the subclient level.
Subclient encryption settings are only for data protection and recovery
operations run from the CommCell Console.
See Data
Encryption - Support for a list of supported
products.
Before You Begin
Encryption must be enabled at the client level prior to configuring any
instances residing on that client. See
Configure the Client for Data
Encryption.
Required Capability:
Capabilities and Permitted Actions
To
configure the instance for encryption of third-party command line operations:
- From the CommCell Console, right-click the instance and click Properties.
- From the respective
Encryption
tab, select an option based on the
criteria described in the Encryption tab help.
- Click OK to save your settings and close the properties dialog
box.
|
For third-party Command Line data recovery operations to succeed when
using pass-phrase security, you must export the pass-phrase to the
destination client. |
Before You Begin
- Encryption settings made at the Replication Set level are for encryption
of data between the source machine and the destination machine.
- Encryption must be enabled at the client level prior to configuring data
encryption for a Replication
Set residing on that client. See Configure
the Client for Data Encryption.
Required Capability:
Capabilities
and Permitted Actions
To configure
data encryption for a Replication Set:
- From the CommCell Browser, right-click the Replication Set and select
Properties.
- From the
Replication Set Properties (Replication Options) tab, either select or clear
Encrypt During Data Transfer.
- Click OK to save your settings and close the Replication Set Properties.
Encryption settings made at the subclient level are for data
protection and recovery operations run from the CommCell Console and are not related in any way to
settings made at the instance level which is for third-party Command Line operations only.
See Data
Encryption - Support for a list of supported
products.
Before You Begin
Required Capability:
Capabilities and Permitted Actions
To
configure the subclient for data encryption:
- From the CommCell Console, right-click the subclient and click Properties.
- From the
Subclient Properties (Encryption)
tab, select an option based on the
criteria described in the Encryption tab help.
- Click OK to save your settings and close subclient properties.
For a scheduled data recovery operation of encrypted data to
run successfully when the client encryption Restore Access property is set to
With a Pass-Phrase, prior to the start of the scheduled recovery you must have exported the file that contains
the scrambled pass-phrase to the destination client(s). This <hostname>.pf file is copied
to the <software installation path>\PF folders and is named for the source client. Should you
disable encryption at some point, either from the client or subclient level,
know that these exported files are not deleted. Refer to
Disable
Encryption.
Although not mandatory, exporting the pass-phrase will also facilitate
immediate data recoveries, bypassing the need to enter the pass-phrase for each
recovery operation.
|
When using pass-phrase security for:
- Migration Archiver Agents - you must export the pass-phrase to the
destination client before you can run
a Stub data recovery. However, Exchange data that has been archived with pass-phrase encryption cannot
be recovered from Outlook or OWA, but can be recovered by performing a Browse
and Recovery operation from the CommCell Console.
- Image Level and Image Level ProxyHost
iDataAgents - you must export the pass-phrase to the
MediaAgent as well as the destination client, since a portion of the volume
information is restored to the MediaAgent Index Cache. When using
Alternate Data
Paths (GridStor),
this would apply to any MediaAgent involved in the restore.
- Third-party Command Line operations - you must export the pass-phrase to the
destination client.
|
Before You Begin
-
Normal configurations for this procedure are:
- Client encryption properties - restore access is set to With a
Pass-Phrase.
- Client encryption properties - a pass-phrase has already been set.
- Instance properties (for third-party Command Line
operations) - any setting.
- Subclient encryption properties - any setting.
- If you have changed encryption settings, refer to
Change Encryption Settings
for alternate configurations.
Required Capability:
Capabilities and Permitted Actions
To export an
encryption pass-phrase to a client:
- From the CommCell Console, right-click the Client and click Properties.
- From the
Client
Computer Properties (Encryption) tab, click the Export button.
- In the
Export
Pass-Phrase
dialog box, select a Destination Computer.
- Enter the pass-phrase as directed.
- Click Export to copy the file with the pass-phrase to the selected client, and
then close the dialog box.
Once you have configured the client and desired agent(s) and exported
the pass-phrase, you are ready to run immediate and scheduled data recovery
operations from the CommCell Console or immediate third-party Command Line operations.
Data Recovery Operations from the CommCell ConsoleWhen the client encryption properties Restore Access is set to Regular, recovery of encrypted data
run from the CommCell Console is transparent, meaning, the Advanced Restore Options
Encryption tab is
not utilized.
Before you Begin
-
Normal source client configurations for this procedure are:
- Client encryption properties - Restore Access is set to Regular at
the time of the data recovery operation.
- Subclient encryption properties - Any setting.
- If you have changed encryption settings, refer to
Change Encryption Settings
for alternate configurations.
- This procedure also pertains to recovering data on media encrypted
during auxiliary copy operations.
Required Capability:
Capabilities and Permitted Actions
To recover encrypted
data when the source client's Restore Access is set to Regular:
- From the CommCell Console, begin any immediate or scheduled data recovery procedure.
- When you reach the Restore Options dialog box, do
not use the Encryption tab (by clicking Advanced and then
Encryption).
- Continue your data recovery procedure as usual.
Third-party Command Line Recovery Operations
When the client encryption properties Restore Access is set to Regular,
third-party Command Line recovery of encrypted data is transparent.
Before you Begin
-
Normal source client configurations for this procedure are:
- Client encryption properties - Restore Access is set to Regular at
the time of the data recovery operation.
- Instance encryption properties - Any setting.
- If you have changed encryption settings, refer to
Change Encryption Settings
for alternate configurations.
Data Recovery Operations from the CommCell Console
Before You Begin
-
Normal source client configurations for this procedure are:
- Client encryption properties - Restore Access of the source client must be set to With a
Pass-Phrase at the time of the recovery operation.
- Subclient encryption properties - MediaAgent Only or Network and
MediaAgent at the time of the recovery operation.
- If you have changed encryption settings, refer to
Change Encryption Settings
for alternate configurations.
- For a scheduled recovery operation in these
configurations to
run successfully, prior to the start of the operation you must have exported the
current pass-phrase to the destination client using the Client Properties
Encryption tab. See Export an Encryption
Pass-Phrase.
Required Capability:
Capabilities and Permitted Actions
- If data is
being recovered to the same destination as the original data protection operation:
Browse and In Place Recovery with at least subclient level association at
the source client.
- If data
is being recovered to a different destination than the original data
protection operation:
- Browse and Out of Place Recovery with at least backup set/instance
association at the source client, and
- Browse and In Place Recovery with at least agent level association
at the destination client.
If the destination client is on a different platform than the source
client (for example, a Unix File System client and a Windows File System
client), then Browse and In Place Recovery with at least client level
association at the destination client is needed.
- If recovering encrypted data that was encrypted during auxiliary copy
operations, a pass-phrase will not be required regardless of the client's
Restore Access settings.
To recover encrypted
data when the source client's Restore Access is set to With a Pass-Phrase:
- From the CommCell Console, begin any immediate or scheduled data recovery procedure.
- When you reach the Restore Options dialog box:
- If the source client's current pass-phrase has been exported to the
destination client, do not use the Encryption tab (by clicking
Advanced and then the Encryption tab).
- If the data you are recovering belongs to a client for which you have not exported
its pass-phrase to the destination client, or the exported pass-phrase is not synchronized
with the current pass-phrase, click Advanced and then the
Encryption tab
from the Advanced Restore Options dialog box. In the
spaces provided in this tab, enter the pass-phrase
that is currently assigned to the client and click OK.
- Continue your data recovery procedure as usual.
Third-party Command Line Recovery Operations
When the source client encryption properties option Restore Access is set to With
a Pass-Phrase, you are required to Export
the Encryption Pass-Phrase in order to perform immediate data recovery
operations via a third-party Command Line.
Before You Begin
-
Normal source client configurations for this procedure are:
- Client encryption properties - Restore Access is set to Regular at
the time of the data recovery operation.
- Instance encryption properties - Any setting.
- If you have changed encryption settings, refer to
Change Encryption Settings
for alternate configurations.
Required Capability: See
Capabilities
and Permitted Actions
To configure
a storage policy copy for data encryption:
- From the right pane of the CommCell Browser, right-click a secondary storage policy
copy,
and then click Properties. Note that you cannot configure a primary
storage policy copy for data encryption.
- From the
Advanced tab of the Copy Properties dialog box, click the
Encrypt Data check box
to enable options.
- Select options based on the criteria described in the Advanced tab help.
- Click OK to save your settings
Required Capability:
Capabilities and Permitted Actions
To
verify the encryption method:
-
From the CommCell Browser, right-click on the CommCell, and
select Properties from the popup menu.
-
Select the
Version tab, and
check that the Crypto Library Version is 1.0.
-
Click OK to close this window.
-
From the CommCell Browser, right click on a client, and
select Properties from the popup menu.
-
Select the
Encryption tab.
-
Verify that the Encrypt Data option is enabled, and that the
Data Encryption Algorithm Cipher is set to an algorithm that suits
your environment:
-
Click OK to close this window.
Back to Top