Data Encryption

Topics | How To | Support | FAQ | Related Topics

Overview

FIPS Certification

Auxiliary Copy Operations and Encryption

Replication Encryption

Disable Encryption

Change Encryption Settings

Important Considerations

Verify Encryption

License Requirement

Overview

The software allows encrypting data both for transmission over non-secure networks and for storage on media. The flexibility of key management schemes makes data encryption useful in a wide variety of configurations.

Encryption can be specified at three levels: client level (for backup), auxiliary copy level and hardware level. Client level encryption allows users to protect data prior to it leaving the computer. The data encryption keys are randomly generated per archive file. Additionally, they can be protected with a pass-phrase, which would be required for restoring the data. Auxiliary Copy level encryption encrypts data during auxiliary copy operations enabling backup operations to run at full speed. Here, data encryption keys are generated per storage policy copy of the archive file. Thus, if there are multiple copies in a storage policy, the same archive files in each copy gets a different encryption key. Individual archive files, however, will have different encryption keys. Note that the data encryption keys cannot be protected with a pass-phrase during auxiliary copy-level encryption. Hardware Encryption allows you to encrypt media used in drives with built-in encryption capabilities, which provides considerably faster performance than data or auxiliary copy encryption. The data encryption keys are generated per chunk on the media. Each chunk will have a different encryption key.

Data is encrypted according to the method you select when you Configure the Client for Data Encryption (client-level encryption) or Configure a Storage Policy Copy for Data Encryption (auxiliary copy-level encryption). You can select from several algorithms and key lengths, which are listed in the following table.

Data Encryption Algorithms

*This performance rating is based on performance tests for the number of megabytes encrypted per second in a Windows environment with the CommServe software. The rating is on a scale of 1-10, 10 being the fastest. Results may vary depending on testing environment.

If you need network security only, configure encryption at the client level and select Network Only. The encryption keys are randomly chosen for every session. Data is encrypted on the Client and is decrypted on the MediaAgent and the keys are discarded at the end. The entire process is completely transparent. All you have to do is to enable encryption, and select the cipher and key length.

If you are concerned that media may be misplaced, data can be encrypted before writing it to the media and store the keys in the CommServe database. In this way, recovery of the data without the CommServe is impossible - not even with Media Explorer. This mode is also completely transparent. Once enabled, it will work requiring no additional activity on your part.

Additionally, encryption keys can be protected with your own pass-phrase before being stored in the database. If the database is accessed by unauthorized users, and the media is stolen, the data will still not be recoverable without the pass-phrase. This highest level of security comes at the price of having to enter the pass-phrase for every recovery operation and not being able to run synthetic full backups. But even this mode can further be customized to fit specific needs:

• By exporting a file that contains the scrambled pass-phrase of the client computer to a dedicated directory on another computer, the system can recover the client's data to that (and only that) computer without prompting you for the pass-phrase.
• Explicitly enabling synthetic full backups in the GUI will create a copy of unlocked encryption keys in the database, which will be accessible only to synthetic full data protection operations. In this case the regular data recovery operations will still prompt you for a pass-phrase, but synthetic full data protection operations will not.
   

FIPS Certification

The Crypto Library module supports data encryption methods approved by the Federal Information Processing Standard (FIPS) as well as additional data encryption methods not approved by FIPS. To verify the method that the software is using, see Verify Data Encryption Method.

The National Institute of Standards and Technology has CommVault's certification under the list of Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules that have been tested using the cryptographic module validation program (CMVP).

Auxiliary Copy Operations and Encryption

Auxiliary copy operations can be configured for encryption when configuring a storage policy copy. This capability is useful in several scenarios:

• You are sending media to an off-site location and want to ensure the data on that media is not readable should the media be lost or stolen.
• You are performing a data protection operation to a disk library and wish to copy that data to a tape in encrypted form, but do not want to consume the time and resources required to encrypt the data during the data protection operation.
• You are protecting data from multiple organizations and want to ensure one organization cannot read the data from another.
• You wish to encrypt a portion of the source copy for off-site or long-term storage. For example, if you create a selective copy with a certain set of criteria established, the auxiliary copy encryption process will encrypt only the data satisfying that criteria.

When enabled, auxiliary copy encryption will encrypt any portion of the data that has not already been encrypted during a data protection operation. If any data on the source copy is already encrypted, the software will retain that data's existing encryption, unless configured to re-encrypt the data using a different data encryption algorithm.

The following table illustrates the data encrypted with auxiliary copy encryption:

All encryption keys are supported for auxiliary copy encryption and are created on an individual basis for each data protection operation. Refer to Data Encryption for more information on encryption keys.

In some cases, other encryption methods may be preferable to auxiliary copy encryption, such as:

• You are protecting data over an unsecured network (such as a Wide Area Network) and want to ensure the data is not readable while passing through the network. In this scenario, you can encrypt data at the client level.
• You wish to protect encryption keys with a pass-phrase. In this scenario, you can encrypt data at the client level..
• You have libraries or drives with built-in encryption capabilities and wish to encrypt the media used in those drives. In this scenario, you can encrypt data at the client level using Hardware Encryption. Note that hardware encryption provides considerably faster performance than data or auxiliary copy encryption.

Configuring Storage Policies for Auxiliary Copy Encryption

You can configure data encryption for an auxiliary copy operation by selecting the Encrypt Data option from the appropriate storage policy copy's Properties dialog box. The data will then be encrypted once the auxiliary copy process is initiated for that storage policy.

Re-encryption during Auxiliary Copy

During an auxiliary copy operation of encrypted data, you can also configure the copy to decrypt and re-encrypt the data. A different data encryption algorithm can be used when the data is re-encrypted. This is useful if data is compromised, company policy dictates it, data will be retained longer, thereby requiring a stronger encryption algorithm (more bits), or, on the contrary, the data will be retained for a shorter amount of time, thereby requiring a smaller algorithm (less bits).

For step-by-step instructions on configuring a storage policy for data encryption and starting the auxiliary copy, see the following:

• Configure a Storage Policy Copy for Data Encryption
• Start an Auxiliary Copy

Related Reports

The Auxiliary Copy Job Summary Report and Jobs in Storage Policy Copies Report will display the data that has been encrypted.

Licensing

An Auxiliary Copy License is required for each MediaAgent.

Replication Encryption

Data being replicated can be encrypted between the source and destination computers.

When encryption is enabled, data is encrypted on the source computer, replicated across the network to the destination computer, and decrypted on the destination computer. Encryption for replication is specified on the Replication Set level, and applies to all of its Replication Pairs. For a given Replication Set, you can enable or disable encryption between the source and destination machines. See Configure the Replication Set for Data Encryption for step-by-step instructions.

For data encryption during a copyback/restore operation, you have to enable encryption on the computer which initiates the copyback/restore operation, in addition to enabling the encryption for a replication set. See Configure the Replication Set for Data Encryption for step-by-step instructions.

Disable Encryption

Once you have enabled encryption functionality at the client level, there are different approaches to backing out of the functionality. You need to be aware of the behaviors that result from each approach. Refer to Change Encryption Settings.

If an exported pass-phrase was not synchronized with the last source client's pass-phrase at the time encryption was disabled (setting change from With a Pass-Phrase directly to Disabled), subsequent recovery operations may present an erroneous message "Invalid pass-phrase specified. Please check the spelling and try again". If the data you are recovering was not encrypted, this message can be ignored as the recovery will run successfully. If the data was encrypted with pass-phrase protection, you will need to provide the correct (last) source client's pass-phrase.

When you disable encryption after having exported a pass-phrase, the exported file is not deleted. To remove the file, locate the <hostname>.pf file in the <software installation path>\PF folder that is named for the source client.

Change Encryption Settings

If you set up the following client and subclient encryption settings and never change them, the following chart indicates when a pass-phrase is required at recovery time:

Changing the client Restore Access settings, resetting a pass-phrase or changing export settings effects encryption behaviors as follow:

1. At the time you change client properties from Restore Access With a Pass-Phrase directly to Disabled at the client level, the last pass-phrase is retained. When you run a recovery operation on those past backups 1) you will still have to enter the most recent pass-phrase, and 2) as long as the current pass-phrase had been exported, scheduled data recoveries for those past backups will run successfully. Subsequent data protection operations run after having disabled encryption and data recovery operations run on those subsequent data protection operations will not evidence any encryption behaviors. (SEE ALSO Notes ^{4 and 5} .)
2. When you change client properties from Restore Access With a Pass-Phrase to Regular at the client level, at that time you are required to enter the current pass-phrase. By entering the correct pass-phrase, all keys are unlocked. This means for any past or subsequent data protection operations you will 1) no longer be required to enter the pass-phrase during a data recovery operation, and 2) scheduled data recovery operations will run successfully without having to export a pass-phrase.

   Do not delete the exported pass-phrase file when a Migration Archiver Agent is present on the client computer. If a migration archiving operation was done using encryption and the key is deleted, stub recoveries will not be possible. At that point, your remaining option would be to perform a browse/recovery and provide the correct Decryption key. Exchange data that has been archived with pass-phrase encryption cannot be recovered from Outlook or OWA, but can be recovered by performing a Browse and Recovery operation from the CommCell Console.

3. When you Reset a client's pass-phrase, if you are in the practice of exporting pass-phrases, a recommended Best Practice is to Export immediately to keep the current and exported pass-phrases synchronized. Although it is possible when performing an immediate data recovery operation to override an out-of-date exported pass-phrase by entering the new pass-phrase, scheduled data recovery operations only utilize the exported pass-phrase. If the exported pass-phrase is not current, scheduled data recoveries will not complete successfully.
4. At the time you change client properties from Restore Access With a Pass-Phrase directly to Disabled at the client level, the last pass-phrase is retained. Therefore, if you run an Auxiliary Copy operation at this point, for all backups that get copied in the Auxiliary Copy operation.
5. When you change client properties from Restore Access With a Pass-Phrase to Regular and then to Disabled at the client level, and then run an Auxiliary Copy operation, for all backups that get copied in the Auxiliary Copy operation.

Important Considerations

Keep the following in mind when encrypting data:

• Since encrypting data converts it into a random form, it becomes less compressible than non-encrypted data. It is therefore recommended that you do not enable hardware compression on encrypted data, as doing so may actually make the data grow in size.
• The backup throughput for encrypted data will be lower when compared to non-encrypted data. Enabling Client Compression may provide a higher throughput for encrypted data which is not already compressed. Note that alternatively, the Auxiliary Copy Encryption feature, which encrypts the data during auxiliary copy operations, allows backups to run at full speed.
• Exchange data that has been archived with pass-phrase encryption cannot be recovered from Outlook or OWA, but can be recovered by performing a Browse and Recovery operation from the CommCell Console.
• If an archive operation is performed without encryption for File Archiver Agents, and then encryption is enabled, in order to recover the data, enter the current pass-phrase in the CommCell Console (for browse recoveries), or export the pass-phrase to the client computer (for stub recoveries).
• While configuring the Windows File System backup sets, if you are using Data Classification as the scan method, you may face the following data encryption issue: When the data is restored, a non-encrypted file, in an encrypted folder, becomes encrypted.  This issue does not occur if you use the Change Journal or Classic Scan as the scan method during the backup.
• Auxiliary Copy Encryption
  • When configuring a Primary Copy and Secondary Copy with deduplication, the pass phrase option is not supported. For more information, see Deduplication.
  • Auxiliary copy encryption is not supported for NetWare MediaAgents. If you wish to encrypt NetWare data with auxiliary copy encryption, you must use a Windows or Unix-based MediaAgent.
  • Auxiliary copy encryption is supported for NDMP Remote Server data; however, it is not supported for NAS File Server data.
  • If the CommServe and MediaAgent have been upgraded to the current release level but the client has not, any restored secondary copy data that was encrypted during an auxiliary copy operation will not be supported until the client is upgraded to the current release level.
  • If you are creating a secondary copy from an encrypted, deduplicated source copy, the software automatically decrypts the deduplicated data during the creation of the secondary copy. Thus, if you wish to create a fully encrypted secondary copy of data from an encrypted, deduplicated source copy, ensure that the secondary copy is configured for re-encryption. Otherwise, the deduplicated portion of the data will remain decrypted. See Deduplication for more information.
  • An inline copy enables users to create additional copies of data at the time of data protection operations, therefore, it will assume the encryption settings of the subclient for which the copy is being made. Note that if a data protection operation of a subclient whose storage policy has an inline copy enabled does not successfully create the Inline Copy, that data will be copied to a secondary copy the next time an auxiliary copy is run, and will be encrypted at that time. For more information see Inline Copies.

  • If the CommServe and MediaAgent are upgraded to the current release, but the Client is not upgraded, the restored data from a secondary copy containing encrypted backups enabled using the auxiliary copy operation will not be supported until the Client is upgraded to the current release.

Verify Encryption

To verify the software and hardware encryption, create the following reports: Job Summary Report and Jobs in Storage Policy Copies Report. The reports will display the data that has been encrypted.

License Requirement

This feature requires a Feature License to be available in the CommServe^® Server.

Review general license requirements included in License Administration. Also, View All Licenses provides step-by-step instructions on how to view the license information.

Back to Top