Data Encryption - Overview

Data Encryption provides the ability to encrypt data both for transmission over non-secure networks and for storage on media. The flexibility of key management schemes makes data encryption useful in a wide variety of configurations.

Encryption can be specified at following levels:

  • Client level (for backup)

    Client level encryption allows users to protect data prior to it leaving the computer.  You can setup client level encryption if you need network security.

    The data encryption keys are randomly generated per archive file.

  • Replication Set level

    Encryption for replication is specified on the Replication Set level, and applies to all of its Replication Pairs. For a given Replication Set, you can enable or disable encryption between the source and destination machines.

    Replication Set level encryption encrypts data on the source computer, replicated across the network to the destination computer, and decrypted on the destination computer.

  • Auxiliary Copy level (for copies)

    Auxiliary Copy level encryption encrypts data during auxiliary copy operations enabling backup operations to run at full speed. If you are concerned that media may be misplaced, data can be encrypted before writing it to the media and keys stored in the CommServe database. In this way, recovery of the data without the CommServe is impossible - not even with Media Explorer.

    Here, data encryption keys are generated per storage policy copy of the archive file. Thus, if there are multiple copies in a storage policy, the same archive files in each copy gets a different encryption key. Individual archive files, however, will have different encryption keys.

  • Hardware level (all data)

    Hardware Encryption allows you to encrypt media used in drives with built-in encryption capabilities, which provides considerably faster performance than data or auxiliary copy encryption. The data encryption keys are generated per chunk on the media. Each chunk will have a different encryption key.

Data Encryption Algorithms

Supported algorithms and key lengths are listed in the following table.

Cipher Details Block Size Performance Rating* Key Length Options
Blowfish
  • Symmetric Key Block Cipher
  • Fast (fastest of the ciphers supported)
  • Secure
  • Finalist in the Advanced Encryption Standard Content
64 bits 10 128, 256 bits
GOST
  • Symmetric Key Block Cipher

To use this cipher for first time, you must have the latest Service Pack installed on CommServe, and on all clients and MediaAgents.

For an upgraded CommServe, this cipher is supported for backup and Auxiliary Copy jobs only when all MediaAgents and its associated Clients are upgraded to same software version.

64 bits N/A 256 bits
AES (Advanced Encryption Standard) or Rijndael
  • Symmetric Key Block Cipher
  • Fast
  • Secure
  • Winner of the Advanced Encryption Standard Content
  • Adopted as the Government Standard (Only cipher approved by the National Security Agency to be used for top secret information.)
128 bits 7 128, 256 bits
Serpent
  • Symmetric Key Block Cipher
  • Very Secure (Considered more secure than AES)
  • Finalist in the Advanced Encryption Standard Content
128 bits 8 128, 256 bits
Twofish
  • Symmetric Key Block Cipher
  • Fast
  • Secure
  • Not standardized
  • Finalist in the Advanced Encryption Standard Content
128 bits 4 128, 256 bits
3-DES (Triple Data Encryption Standard)
  • Symmetric Key Block Cipher
  • Slow
  • May be susceptible to certain attacks
64 bits 1.5 192 bits

* This performance rating is based on performance tests for the number of megabytes encrypted per second in a Windows environment with the CommServe software. The rating is on a scale of 1-10, 10 being the fastest. Results may vary depending on testing environment.

FIPS Certification

The Crypto Library module supports data encryption methods approved by the Federal Information Processing Standard (FIPS) as well as additional data encryption methods not approved by FIPS. To verify the method that the software is using, see Verifying the Data Encryption Method.

The National Institute of Standards and Technology has CommVault's certification under the list of Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Modules In Process List that have been tested using the cryptographic module validation program (CMVP).