Data Encryption - Overview
Data Encryption provides the ability to encrypt data both for transmission over non-secure networks and for storage on media. The flexibility of key management schemes makes data encryption useful in a wide variety of configurations.
Encryption can be specified at following levels:
- Client level (for backup)
Client level encryption allows users to protect data prior to it leaving the computer. You can setup client level encryption if you need network security.
The data encryption keys are randomly generated per archive file.
- Replication Set level
Encryption for replication is specified on the Replication Set level, and applies to all of its Replication Pairs. For a given Replication Set, you can enable or disable encryption between the source and destination machines.
Replication Set level encryption encrypts data on the source computer, replicated across the network to the destination computer, and decrypted on the destination computer.
- Auxiliary Copy level (for copies)
Auxiliary Copy level encryption encrypts data during auxiliary copy operations enabling backup operations to run at full speed. If you are concerned that media may be misplaced, data can be encrypted before writing it to the media and keys stored in the CommServe database. In this way, recovery of the data without the CommServe is impossible - not even with Media Explorer.
Here, data encryption keys are generated per storage policy copy of the archive file. Thus, if there are multiple copies in a storage policy, the same archive files in each copy gets a different encryption key. Individual archive files, however, will have different encryption keys.
- Hardware level (all data)
Hardware Encryption allows you to encrypt media used in drives with built-in encryption capabilities, which provides considerably faster performance than data or auxiliary copy encryption. The data encryption keys are generated per chunk on the media. Each chunk will have a different encryption key.
Data Encryption Algorithms
Supported algorithms and key lengths are listed in the following table.
|Cipher||Details||Block Size||Performance Rating*||Key Length Options|
||64 bits||10||128, 256 bits|
To use this cipher for first time, you must have the latest Service Pack installed on CommServe, and on all clients and MediaAgents.
For an upgraded CommServe, this cipher is supported for backup and Auxiliary Copy jobs only when all MediaAgents and its associated Clients are upgraded to same software version.
|64 bits||N/A||256 bits|
|AES (Advanced Encryption Standard) or Rijndael||
||128 bits||7||128, 256 bits|
||128 bits||8||128, 256 bits|
||128 bits||4||128, 256 bits|
|3-DES (Triple Data Encryption Standard)||
||64 bits||1.5||192 bits|
* This performance rating is based on performance tests for the number of megabytes encrypted per second in a Windows environment with the CommServe software. The rating is on a scale of 1-10, 10 being the fastest. Results may vary depending on testing environment.
The Crypto Library module supports data encryption methods approved by the Federal Information Processing Standard (FIPS) as well as additional data encryption methods not approved by FIPS. To verify the method that the software is using, see Verifying the Data Encryption Method.
The National Institute of Standards and Technology has CommVault's certification under the list of Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Modules In Process List that have been tested using the cryptographic module validation program (CMVP).