To encrypt data during data protection and recovery operations
using the CommCell Console, you must
configure encryption at the client level first and then at the subclient level.
To
encrypt data during third-party Command Line operations, you must
configure encryption at the client level first and then at the instance level.
This procedure configures data encryption for all supported agents that reside on this
client, however, no content at any level (instance or subclient) will be encrypted until
the respective level's encryption property is
enabled.
Select options based on the criteria described in the Encryption tab help.
Configure data encryption for Restore Access
and Direct Media Access.
If you configure data encryption with With a Pass-Phrase and do not elect to export the
pass-phrase to destination clients:
You will be required to enter the
pass-phrase during immediate data recovery operations.
You will not be able to run scheduled data recovery operations.
If you do not require this level of security, consider using Regular
encryption instead or Export an
Encryption Pass-Phrase. The following requires you to export the pass-phrase:
Scheduled data recovery operations
Stub data recovery operations (initiated from Migration Archiver Agents)
Third-party Command Line data recovery operations
Note, if you selected pass-phrase security you must enter a pass-phrase in the
dialog box that appears.
Click OK to save your settings and close client properties.
Encryption settings made at the instance level for third-party Command Line
operations are not related in any way to settings made at the subclient level.
Subclient encryption settings are only for data protection and recovery
operations run from the CommCell Console.
To
configure the instance for encryption of third-party command line operations:
From the CommCell Console, right-click the instance and click Properties.
From the respective
Encryption
tab, select an option based on the
criteria described in the Encryption tab help.
Click OK to save your settings and close the properties dialog
box.
For third-party Command Line data recovery operations to succeed when
using pass-phrase security, you must export the pass-phrase to the
destination client.
Encryption settings made at the Replication Set level are for encryption
of data between the source machine and the destination machine.
Encryption must be enabled at the client level prior to configuring data
encryption for a Replication
Set residing on that client. See Configure
the Client for Data Encryption.
Encryption settings made at the subclient level are for data
protection and recovery operations run from the CommCell Console and are not related in any way to
settings made at the instance level which is for third-party Command Line operations only.
For a scheduled data recovery operation of encrypted data to
run successfully when the client encryption Restore Access property is set to
With a Pass-Phrase, prior to the start of the scheduled recovery you must have exported the file that contains
the scrambled pass-phrase to the destination client(s). This <hostname>.pf file is copied
to the <software installation path>\PF folders and is named for the source client. Should you
disable encryption at some point, either from the client or subclient level,
know that these exported files are not deleted. Refer to
Disable
Encryption.
Although not mandatory, exporting the pass-phrase will also facilitate
immediate data recoveries, bypassing the need to enter the pass-phrase for each
recovery operation.
When using pass-phrase security for:
Migration Archiver Agents - you must export the pass-phrase to the
destination client before you can run
a Stub data recovery. However, Exchange data that has been archived with pass-phrase encryption cannot
be recovered from Outlook or OWA, but can be recovered by performing a Browse
and Recovery operation from the CommCell Console.
Image Level and Image Level ProxyHost
iDataAgents - you must export the pass-phrase to the
MediaAgent as well as the destination client, since a portion of the volume
information is restored to the MediaAgent Index Cache. When using
Alternate Data
Paths (GridStor),
this would apply to any MediaAgent involved in the restore.
Third-party Command Line operations - you must export the pass-phrase to the
destination client.
Before You Begin
Normal configurations for this procedure are:
Client encryption properties - restore access is set to With a
Pass-Phrase.
Client encryption properties - a pass-phrase has already been set.
Instance properties (for third-party Command Line
operations) - any setting.
Subclient encryption properties - any setting.
If you have changed encryption settings, refer to
Change Encryption Settings
for alternate configurations.
Click Export to copy the file with the pass-phrase to the selected client, and
then close the dialog box.
Once you have configured the client and desired agent(s) and exported
the pass-phrase, you are ready to run immediate and scheduled data recovery
operations from the CommCell Console or immediate third-party Command Line operations.
Data Recovery Operations from the CommCell Console
When the client encryption properties Restore Access is set to Regular, recovery of encrypted data
run from the CommCell Console is transparent, meaning, the Advanced Restore Options
Encryption tab is
not utilized.
Before you Begin
Normal source client configurations for this procedure are:
Client encryption properties - Restore Access is set to Regular at
the time of the data recovery operation.
Subclient encryption properties - Any setting.
If you have changed encryption settings, refer to
Change Encryption Settings
for alternate configurations.
This procedure also pertains to recovering data on media encrypted
during auxiliary copy operations.
Data Recovery Operations from the CommCell Console
Before You Begin
Normal source client configurations for this procedure are:
Client encryption properties - Restore Access of the source client must be set to With a
Pass-Phrase at the time of the recovery operation.
Subclient encryption properties - MediaAgent Only or Network and
MediaAgent at the time of the recovery operation.
If you have changed encryption settings, refer to
Change Encryption Settings
for alternate configurations.
For a scheduled recovery operation in these
configurations to
run successfully, prior to the start of the operation you must have exported the
current pass-phrase to the destination client using the Client Properties
Encryption tab. See Export an Encryption
Pass-Phrase.
If data is
being recovered to the same destination as the original data protection operation:
Browse and In Place Recovery with at least subclient level association at
the source client.
If data
is being recovered to a different destination than the original data
protection operation:
Browse and Out of Place Recovery with at least backup set/instance
association at the source client, and
Browse and In Place Recovery with at least agent level association
at the destination client.
If the destination client is on a different platform than the source
client (for example, a Unix File System client and a Windows File System
client), then Browse and In Place Recovery with at least client level
association at the destination client is needed.
If recovering encrypted data that was encrypted during auxiliary copy
operations, a pass-phrase will not be required regardless of the client's
Restore Access settings.
To recover encrypted
data when the source client's Restore Access is set to With a Pass-Phrase:
From the CommCell Console, begin any immediate or scheduled data recovery procedure.
When you reach the Restore Options dialog box:
If the source client's current pass-phrase has been exported to the
destination client, do not use the Encryption tab (by clicking
Advanced and then the Encryption tab).
If the data you are recovering belongs to a client for which you have not exported
its pass-phrase to the destination client, or the exported pass-phrase is not synchronized
with the current pass-phrase, click Advanced and then the
Encryption tab
from the Advanced Restore Options dialog box. In the
spaces provided in this tab, enter the pass-phrase
that is currently assigned to the client and click OK.
Continue your data recovery procedure as usual.
Third-party Command Line Recovery Operations
When the source client encryption properties option Restore Access is set to With
a Pass-Phrase, you are required to Export
the Encryption Pass-Phrase in order to perform immediate data recovery
operations via a third-party Command Line.
Before You Begin
Normal source client configurations for this procedure are:
Client encryption properties - Restore Access is set to Regular at
the time of the data recovery operation.
Instance encryption properties - Any setting.
If you have changed encryption settings, refer to
Change Encryption Settings
for alternate configurations.
To configure
a storage policy copy for data encryption:
From the right pane of the CommCell Browser, right-click a secondary storage policy
copy,
and then click Properties. Note that you cannot configure a primary
storage policy copy for data encryption.
From the
Advanced tab of the Copy Properties dialog box, click the
Encrypt Data check box
to enable options.
Select options based on the criteria described in the Advanced tab help.