Data Encryption - Advanced

Table of Contents

Managing Encryption Pass-Phrase

  • The Pass-Phrase feature is deprecated. For similar functionality, use the following features:
    • Privacy to prevent other users (including administrators) from viewing the data from the client.
    • Enable Hardware Encryption to encrypt data on the media.
  • Clients with existing Pass-Phrase configurations are supported.

Data encryption for backups can be enabled with a pass-phrase, which would be required for restoring the data.  The following sections describes the various operations related to the pass-phrase.

Setup Encryption Pass-Phrase

Data encryption keys can be protected with a pass-phrase before being stored in the database. The pass-phrase will be required for restoring the data.

If the database is accessed by unauthorized users, and the media is stolen, the data will still not be recoverable without the pass-phrase.

Use the following steps to enable the encryption pass-phrase:

  1. From the CommCell Console, right-click the Client and click Properties.
  2. From the Client Computer Properties for <client> dialog box, click Advanced button.
  3. From the Advanced Client Properties dialog box, select the following:
    1. Click the Encryption tab.
    2. Click the Encrypt Data check box.
    3. In the Cipher box, select the encryption algorithm.
    4. In the Key Length box, select a key length.
    5. From the Direct Media Access (External Restore Tools) area, click either the Via Pass-Phrase or the No Access option.
    6. From the Restore Access area, click the With a Pass Phrase option.

      A Warning message will be displayed. Click OK.

    7. In the Enter Pass-Phrase dialog box, specify the Pass-Phrase and click OK.
    8. Click OK to close the Advanced Client Properties dialog box.
  4. Click OK to close the Client Computer Properties for <client> dialog box.

Export an Encryption Pass-Phrase

You can export the file containing the scrambled pass-phrase.  This is useful for restore operations, especially scheduled restores, to complete successfully.

A <hostname>.pf file is copied to the <software installation path>\PF folders and is named for the source client.

Exporting the pass-phrase will also facilitate immediate restores, bypassing the need to enter the pass-phrase for each restore operation.

When using pass-phrase security for:
  • Migration Archiver Agents - you must export the pass-phrase to the destination client before you can run a Stub data recovery.
  • Image Level iDataAgents - you must export the pass-phrase to the MediaAgent as well as the destination client, since a portion of the volume information is restored to the MediaAgent Index Cache. When using Alternate Data Paths (GridStor), this would apply to any MediaAgent involved in the restore.
  1. From the CommCell Console, right-click the Client and click Properties.
  2. From the Client Computer Properties for <client> dialog box, click Advanced button.
  3. From the Advanced Client Properties dialog box, select the following:
    1. Click the Encryption tab.
    2. Click the Export button.
    3. In the Destination Computer, select the name of the destination client.
    4. Enter the pass-phrase and click Export.
  4. Click OK to close the Advanced Client Properties dialog box.
  5. Click OK to close the Client Computer Properties for <client> dialog box.

Reset a Pass-Phrase

Pass phrases can be changed using the reset option.

When a pass-phrase is reset, it can be used to recover data - both from the current and past backups. For example, if you ran a few encrypted backups with the pass-phrase set to “violet”, and then changed the pass-phrase to “purple”, you will need to enter “purple” when recovering that data. It works like this because pass-phrase is used to lock encryption keys rather than encrypt the data itself. When pass-phrase is modified, the keys are re-locked with the new pass-phrase.

  1. From the CommCell Console, right-click the Client and click Properties.
  2. From the Client Computer Properties for <client> dialog box, click Advanced button.
  3. From the Advanced Client Properties dialog box, select the following:
    1. Click the Encryption tab.
    2. Click the Reset button.
    3. Enter the old and new pass-phrase and then click the Reset button.
  4. Click OK to close the Advanced Client Properties dialog box.
  5. Click OK to close the Client Computer Properties for <client> dialog box.

Setup the Pass-Phrase for Synthetic Full Backups

Explicitly enabling synthetic full backups in the CommCell Console will create a copy of unlocked encryption keys in the database, which will be accessible only to synthetic full backup operations. In this case the regular restore operations will continue to prompt for a pass-phrase, but synthetic backups will not prompt for the pass-phrase.

  1. From the CommCell Console, right-click the Client and click Properties.
  2. From the Client Computer Properties for <client> dialog box, click Advanced button.
  3. From the Advanced Client Properties dialog box, select the following:
    1. Click the Encryption tab.
    2. Click the Encrypt Data check box.
    3. In the Cipher box, select the encryption algorithm.
    4. In the Key Length box, select a key length.
    5. From the Direct Media Access (External Restore Tools) area, click either the Via Pass-Phrase or the No Access option.
    6. From the Restore Access area, click the With a Pass Phrase option.

      A Warning message will be displayed. Click OK.

    7. Click the Enable Synthetic Full check box.
    8. In the Enter Pass-Phrase dialog box, specify the Pass-Phrase and click OK.
    9. Click OK to close the Advanced Client Properties dialog box.
  4. Click OK to close the Client Computer Properties for <client> dialog box.

Configuring Data Encryption to Use SafeNet

You can now protect SnapProtect data encryption keys with SafeNet before storing the keys in the database. These SafeNet keys are required for restore and for auxiliary copy operations.

During data encryption, plain text is encrypted with a public key and can be decrypted only with this private key. You can encrypt the private key and store it on the SafeNet server. The private key is required for restore and auxiliary copy operations.

Important:

  • If you enabled SafeNet on a deduplicated storage policy or copy, we recommend that you do not delete the SafeNet key associated with the deduplicated storage policy because for deduplicated data, the data blocks are referenced by multiple jobs. For more information, see How Deduplication Works.

    If the key is deleted, the data associated with the deduplicated storage policy or copy will not be recoverable. In this situation, you need to create a new storage policy or copy and re-associate all subclients to new storage policy. For instructions on re-association, see Associating Subclients to a Different Storage Policy.

Procedure

To configure data encryption to use SafeNet, complete the following steps on the CommServe:

  1. Install the SafeNet Client software.
  2. Add the SafeNet Client software installation path to the PATH environment variable.

    Example: C:\Program Files\SafeNet ProtectApp\ICAPI

  3. Go to the SafeNet Client software installation directory and generate SafeNet certificates by running the req.exe file.
  4. Install latest SnapProtect Service Pack.
  5. From the SafeNet Client software installation directory, open the ProtectAppICAPI.properties file and set the values for the following parameters.
    Parameter Description
    KMIP_Spec_File The location of the kmip_tags.csv file.

    Example: KMIP_Spec_File= C:\Program Files\SafeNet ProtectApp\ICAPI\kmip_tags.csv

    KMIP_IP IP address of the SafeNet server.

    Note: For CommCell migration, make sure that both the source and the destination CommCells are pointing to the same SafeNet server.

    KMIP_Port The port used by the SafeNet server.
    CA_File The location of the localCA certificate that was downloaded from the SafeNet server.

    Example: software_installation_directory\Base\Certificates\CommVault.crt

    Cert_File The location of the client certificate that was downloaded from the SafeNet Server.

    Example: software_installation_directory\Base\Certificates\signed.crt

    Key_File The location of the client key that is generated when req.exe is run to generate the ClientReq and Key that is used for signing the client certificate.

    Example: software_installation_directory\Base\Certificates\clientKey

    Passphrase The password that you specified when you run req.exe.
    Log_File The location for log files to record entries related to the SafeNet server activities.
    NAE_IP

    NAE_Port

    Comment or remove NAE_IP and NAE_Port parameters from the file.
  6. Enable SafeNet on the CommServe, by running the following command:

    Syntax:

    qoperation execscript -sn SetKeyIntoGlobalParamTbl.sql -si SafeNetPropertiesFilePath -si y -si 'properties_file path_with_file name'

    Example:

    qoperation execscript -sn SetKeyIntoGlobalParamTbl.sql -si SafeNetPropertiesFilePath -si y -si 'C:\Program Files\SafeNet ProtectApp\ICAPI\ProtectAppICAPI.properties'

  7. Enable SafeNet on the appropriate storage policy copy:
    1. Create an XML file called update_Advanced.xml by copying the XML sample below, and save the file on the computer where the command will be run.

      <App_UpdateStoragePolicyCopyReq>
      <storagePolicyCopyInfo>
      <StoragePolicyCopy>
      <copyName></copyName>
      <storagePolicyName></storagePolicyName>
      </StoragePolicyCopy>
      <dataEncryption>
      <encryptData>2</encryptData>
      <encryptionType></encryptionType>
      <encryptionKeyLength></encryptionKeyLength>
      <reEncryptDataUsingCipher>2</reEncryptDataUsingCipher>
      <viaMediaPassword>2</viaMediaPassword>
      </dataEncryption>
      </storagePolicyCopyInfo>
      </App_UpdateStoragePolicyCopyReq>

    2. In a text or XML editor, Open the update_Advanced.xml file and set the values for the SafeNet data encryption configuration.
      Element Description
      encryptData Enables data encryption on the storage policy copy.

      1 (enabled) and 0 (disable).

      encryptionType The cipher used for data encryption.

      AES / BLOWFISH / DES3 / GOST / SERPENT / TWOFISH

      Note: Values for encryptionType are case-sensitive.

      encryptionKeyLength The key length of the cipher specified in the encryptionType element.
      • 3-DES cipher: 192
      • AES (Rijndael), Blowfish, Serpent, and TwoFish ciphers
        • 128
        • 256
      • GOST cipher: 256
      reEncryptDataUsingCipher Re-encrypts the data by using the specified cipher.

      1 (enable) and 0 (disable).

      viaMediaPassword Enables direct media access through the use of the media password option.

      1 (enable) and 0 (disable).

    3. From the software_installation_directory/Base directory, execute the following commands after substituting the element values.
      • To enable SafeNet on the storage policy copy:

        qoperation execute -af <download location>\update_Advanced.xml -copyName Copy1 -storagePolicyName SP01 -restoreAccess 1

      • To disable SafeNet on the storage policy copy:

        qoperation execute -af <download location>\update_Advanced.xml -copyName Copy1 -storagePolicyName SP01 -restoreAccess 0

      Important:

      • When a storage policy copy is using Global Deduplication Storage Policy (GDSP), enable SafeNet on the GDSP copy. Then, Safenet is enabled on all dependent copies of the GDSP.
      • When the following error message is displayed while enabling SafeNet on the copy, verify the SafeNet server connectivity.

        <?xml version="1.0" encoding="UTF-8" standalone="no" ?>
        <App_GenericArchiveGroupResp responseType="2"><error errorCode="587204905" errorMessage="Failed to get key from SafeNet server."/></App_GenericArchiveGroupResp>

Result

When SafeNet is enabled, the following conditions apply:

  • The following text appears on the Advanced tab of the Copy Properties dialog box.

    SafeNet Encryption: Enabled

  • For new backup jobs, the SafeNet key is used to decrypt the private key during restore and Auxiliary Copy operations.

    Existing backup jobs are not affected.

  • After running backup or auxiliary copy jobs, the name of the CommServe, storage policy, and storage policy copy associated with the key, and the first and last retrieval time of the key are available from the Attributes tab of the Key Properties in the SafeNet server site.

What To Do Next

  • Optional: You can run the following qscripts to enable encryption and SafeNet by default for new storage policy copies.

    Note: To obtain the authentication code, contact your software provider.

    qoperation execscript -sn setConfigParam -si MMCONFIG_ALWAYS_ENABLE_ENCRYPTION_FOR_NEW_COPIES -si 1 -si <authentication_code> -si 0 -si 1 -si 1 -si 1 -si MM_CONFIG_SUBSYSTEM_MEDIAMANAGER -si "Always enable encryption on new copies"

    qoperation execscript -sn setConfigParam -si MMCONFIG_ALWAYS_ENABLE_SAFENET_FOR_ENCRYPTED_COPIES -si 1 -si <authentication_code> -si 0 -si 1 -si 1 -si 1 -si MM_CONFIG_SUBSYSTEM_MEDIAMANAGER -si "Always enable SafeNet encryption on new copies"

  • You can periodically rotate the SafeNet encryption keys for additional security. To do so, run the following qscript:

    The following qscript creates a new key in SafeNet and a private key will be encrypted using the new key.

    qoperation execute -af c:\Update_Advanced.xml -storagePolicyName SP01 -copyName Copy1 -rotateSafeNetKey true

Configuring the Instance for Application Command Line Encrypted Operations

For database agents like Oracle, DB2 and so on, that use Application Command Line options to run backups (that is Oracle RMAN commands) encryption must be enabled at the client level prior to configuring any instances or subclients residing on that client.

To enable the encryption for Application Command Line operations.

  1. Enable encryption on the client computer.

    See Client Encryption for instructions.

  2. Enable encryption on the subclient or instance.

    See Subclient or Instance Encryption for instructions.

Configuring the Replication Set for Data Encryption

Encryption for replication is specified on the Replication Set level, and applies to all of its Replication Pairs. For a given Replication Set, you can enable or disable encryption between the source and destination machines.

When encryption is enabled, data is encrypted on the source computer, replicated across the network to the destination computer, and decrypted on the destination computer.

For data encryption during a copyback/restore operation, you have to enable encryption on the computer which initiates the copyback/restore operation, in addition to enabling the encryption for a replication set.

  • CDR on Unix only supports the Blowfish cipher with 128-bit key length.
  • CDR on Windows supports all ciphers and key lengths.

Use the following steps to configure data encryption for a Replication Set:

  1. From the CommCell Browser, expand Client Computers | <Client> | Continuous Data Replicator.
  2. Right-click the <replication set>.
  3. Click the Replication Options tab.
  4. Click the Encrypt during data transfer check box.
  5. Click OK.

Encrypting Data During Auxiliary Copy

You can enable data encryption for a secondary copy. The data will get encrypted during an auxiliary copy operation. This is useful in the following scenarios:

  • You are sending media to an off-site location and want to ensure the data on that media is not readable should the media be lost or stolen.
  • You are performing a backup to a disk library and wish to copy that data to a tape in encrypted form, but do not want to consume the time and resources required to encrypt the data during the backup.
  • You are protecting data from multiple organizations and want to ensure one organization cannot read the data from another.
  • You wish to encrypt a portion of the source copy for off-site or long-term storage. For example, if you create a selective copy with a certain set of criteria established, the auxiliary copy encryption process will encrypt only the data satisfying that criteria

The following table illustrates the data encrypted with Auxiliary Copy encryption:

Storage Policy is... Auxiliary Copy Encryption will...
Not encrypted Encrypt all data.
Partially encrypted Encrypt only the data that has not already been encrypted.
Fully encrypted Retain existing encryption, unless configured to use a different algorithm.

The Auxiliary Copy operation encrypts any portion of the data that has not already been encrypted during a backup. If any data on the source copy is already encrypted, the software retains that data's existing encryption, unless configured to re-encrypt the data using a different data encryption algorithm.

To enable data encryption on the storage policy copy.

  • Pass-phrase option is not supported with deduplication.

  1. From the CommCell Browser, expand Policies | Storage Policies | <Storage_Policy>.
  2. Right-click the appropriate storage policy copy, and click Properties.
  3. In the Copy Properties dialog box, click the Advanced tab, select the Encrypt Data check box, and then select the appropriate encryption settings.

    All encryption keys are supported for Auxiliary Copy encryption and are created on an individual basis for each backup.

  4. Click OK.

Verifying the Data Encryption Method

Use the following steps to verify the data encryption method:

From CommServe Level:

  1. From the CommCell Browser, right-click the CommServe.
  2. On the Version tab, verify the Crypto Library Version is 1.0, and then click OK.

From the Client Level:

  1. From the CommCell Browser, expand Client Computers.

  2. Right-click the appropriate client, and then click Properties.

  3. From the Client Computer Properties dialog box, click Advanced.
  4. On the Encryption tab of the Advanced Client Properties dialog box, verify that the Encrypt Data is enabled, and the Data Encryption Algorithm Cipher is set to an algorithm that suits your environment:
    • AES or 3-DES (approved by FIPS).

    • Blowfish, Serpent or Twofish (not approved by FIPS).

  5. Click OK and click OK to close the Client Computer Properties dialog box.

Disabling Encryption

Once you have enabled encryption functionality at the client level, there are different approaches to backing out of the functionality. See the following results for each approach:

  • If an exported pass-phrase was not synchronized with the last source client's pass-phrase at the time encryption was disabled (setting change from With a Pass-Phrase directly to Disabled), subsequent recovery operations may present an erroneous message "Invalid pass-phrase specified. Please check the spelling and try again".
    • If the data you are recovering was not encrypted, this message can be ignored as the recovery will run successfully.
    • If the data was encrypted with pass-phrase protection, you will need to provide the correct (last) source client's pass-phrase.
  • When you disable encryption after having exported pass-phrase, the exported file is not deleted. To remove the file, locate the <hostname>.pf file in the <software installation path>\PF folder that is named for the source client.

When disabling pass-phrase for:

  • Migration Archiver Agents - Do not delete the exported synched pass-phrase file when a Migration Archiver Agent is present on the client computer. If a migration archiving operation was done using encryption and the key is deleted, stub recoveries will not be possible. At that point, your remaining option would be to perform a browse/recovery and provide the correct Decryption key.

    Exchange data that has been archived with pass-phrase encryption cannot be recovered from Outlook or OWA, but can be recovered by performing a Browse and Recovery operation from the CommCell Console.

Related Reports

Jobs in Storage Policy Copies Report

The Jobs in Storage Policy Copies report displays information about data encryption jobs that are associated with the specified storage policy copies. In this report:

  • Jobs with data encryption are displayed with superscript character E.
  • Jobs with hardware encryption are displayed with superscript characters HE.

See Jobs in Storage Policy Copies Report for more information.

Storage Information Report

The Storage Information report displays detailed information about the media that is associated with each storage library, the media location, media that has encrypted data and so on. In this report:

  • Media with encrypted data are displayed with superscript characters e1.
  • Media with encrypted and non-encrypted data are displayed with superscript characters e2.

See Storage Information Report for more information.

Storage Policy Report

The Storage Policy report displays detailed information about storage policies in the CommCell, including subclient association, properties of the storage policy, deduplication, data encryption and so on.

See Storage Policy Report for more information.

License Requirement

You can choose to use one of the following licensing mechanisms:

  • Traditional License, based upon products and features in your CommCell.
  • Capacity License, based on the amount of data you want to protect.

For comprehensive information on licensing, see License Administration.

Traditional License

You must obtain the following licenses:

Feature License Type License Consumption
Data Encryption Data Encryption 1 license per CommCell
Auxiliary Copy Data Encryption Auxiliary Copy Encryption 1 license per MediaAgent

Capacity License

You must obtain one of the following licenses:

License Type License Consumption
Data Protection Core infrastructure 1 license per CommCell for n Terabytes (TB) of protected data
Data Archive Core infrastructure 1 license per CommCell for n Terabytes (TB) of protected data
Data Protection Enterprise infrastructure 1 license per CommCell for n Terabytes (TB) of protected data
Data Archive Enterprise infrastructure 1 license per CommCell for n Terabytes (TB) of protected data

Performing Data Encryption Configurations from the Command Line Interface

You can perform the following data encryption configurations through the command line:

Set Encryption Properties (setencryptionprops)

Description

This command allows you to set encryption properties for a given client.

In case of an error, an error code and description are displayed as: "setencryptionprops: Error errorcode: errordescription"

Usage

qoperation setencryptionprops [-cs <commserve_host_name>] -c <client> -encryptdata <encrypt> [-cipher <cipher>] [-keylength <keylength>] [-restoreaccess <restoreaccess>] [-synthfull <synthfull>] [-mediaaccess <mediaaccess>] [-passphrase <passphrase>] [-af <argsfile>] [-h]

Options

-cs CommServe host name
-c Client computer name
-encryptdata Encrypt data.
-cipher Data Encryption Algorithm (BLOWFISH|GOST|AES|SERPENT|TWOFISH|3-DES)
-keylength Key Length(128|256)
-restoreaccess Restore Access Type (regular|passphrase)
-synthfull Enable Synthetic Full. Valid values are 'y' and 'n'
-mediaaccess Direct Media Access (password|passphrase|noaccess)
  • The Pass-Phrase feature is deprecated.
  • Clients with existing Pass-Phrase configurations are supported.
-passphrase Pass-Phrase Present. Valid values are 'y' and 'n'
  • The Pass-Phrase feature is deprecated.
  • Clients with existing Pass-Phrase configurations are supported.
-af Reads arguments from a file
-tf Reads token from a file
-tk Token string
-h Displays help

Argument Files

For information on creating an argument file, see Command Line - FAQ - How do I use argument files in commands.

server CommServe host name
client Client computer name
encryptdata Encrypt Data. Valid values are 'y' and 'n'
cipher Data Encryption Algorithm (BLOWFISH|AES|SERPENT|TWOFISH|3-DES)
keylength Key Length(128|256)
restoreaccess passphrase
synthfull Enable Synthetic Full. Valid values are 'y' and 'n'
mediaaccess Direct Media Access (password|passphrase|noaccess)
  • The Pass-Phrase feature is deprecated.
  • Clients with existing Pass-Phrase configurations are supported.
passphrase Pass-Phrase Present. Valid values are 'y' and 'n'
  • The Pass-Phrase feature is deprecated.
  • Clients with existing Pass-Phrase configurations are supported.

Diagnostics

Possible exit status values are:

0 - Successful completion.

1 - CLI usage failures, due to the use of an unsupported option or missing argument.

2 - Any other failure.

Example

  • To set Data Encryption Algorithm:

qoperation setencryptionprops -c "client1" -encryptdata y -cipher SERPENT
Updated client (client1) encryption properties successfully.

  • To set Direct Encryption Algorithm BLOWFISH with Keylength of 256:

qoperation setencryptionprops -c "client1" -encryptdata y -cipher BLOWFISH -keylength 256
Updated client (client1) encryption properties successfully.

Setting a Pass-Phrase (setpassphrase)

  • The Pass-Phrase feature is deprecated. For similar functionality, use Privacy.
  • Clients with existing Pass-Phrase configurations are supported.

Description

This command allows you to set the passphrase for a given client.

Prerequisites:

  • Encryption option should be enabled.               
  • Media Access option should not be "via Pass-phrase"

In case of an error, an error code and description are displayed as: "setpassphrase: Error errorcode: errordescription"

Usage

qoperation setpassphrase [-cs <commserve_host_name>] -c <client> -o <operation> [-h]

Options

-cs CommServe host name
-c Client computer name
-o operation (create|modify)
-tf Reads token from a file
-tk Token string
-h Displays help

Diagnostics

Possible exit status values are:

0 - Successful completion.

1 - CLI usage failures, due to the use of an unsupported option or missing argument.

2 - Any other failure.

Example

  • To modify a pass-phrase:

    qoperation setpassphrase -c "c1" -o "modify"

    Old Pass-Phrase:
    New Pass-Phrase:
    New Pass-Phrase Again:
    Modified Pass-Phrase Successfully.

  • If passphrase doesn't exists and user tries to modify it:

    qoperation setpassphrase -c "c1" -o "modify"

    Old Pass-Phrase:
    New Pass-Phrase:
    New Pass-Phrase Again:
    setpassphrase: Error 0x13f: Pass-Phrase not exist for the client.

Related Topics

Hardware Encryption

Provides information on Hardware Encryption and Key Management.