Data Encryption - Online Help

Client Computer Properties (Encryption)

Use this dialog box to select data encryption options for the selected client. These settings will only impact supported agents residing on the client.

Encrypt Data

When selected, enables data encryption options for the selected client.

Data Encryption Algorithm

  • Cipher

    Displays the ciphers available for data transfer.

  • Key Length

    Displays the key lengths available for the selected cipher. Note that the key length options displayed will vary according to the selected cipher.

Restore Access

  • The Restore Access (pass-phrase) feature is deprecated. For similar functionality, use Privacy.
  • Clients with existing Pass-Phrase configurations are supported.

This group of settings specifies CommServe encryption key management policy, i.e., how the encryption keys are stored and accessed in the CommServe database.

  • Regular

    When selected, encryption keys are stored in the CommServe database unlocked, and encrypted data can be recovered without providing a pass-phrase. Use this mode only if you trust your CommServe, and have some other mechanisms to protect it from unauthorized access.

  • With a Pass-Phrase

    Initially enabled after selecting Direct Media Access option Via a Pass-Phrase.

    When selected, encryption keys are locked with a user-supplied pass-phrase before being stored in the CommServe database. Even if the database has been compromised, the encryption keys are still unusable without the pass-phrase. Note that in this mode encrypted data cannot be recovered without entering a correct pass-phrase.

    Do not choose a trivial or one-word pass-phrase. Remember that in this mode it is the pass-phrase that defines the security of your data. The more elaborate it is, the less likely it can be picked by a third-party.

    Loss of the pass-phrase signifies loss of all data previously protected.

    If you want to recover encrypted data without having to provide the pass-phrase for every recovery operation, you can export the source computer's pass-phrase to a destination computer.

    Enable Synthetic Full

    When selected, indicates that synthetic full data protection jobs can be performed when data encryption is enabled. Since running synthetic full data protection operations involves recovering data to a temporary buffer in memory, such data protection operations need a pass-phrase to access data encryption keys in the CommServe database.

    If you want the convenience of scheduling Synthetic Full data protection operations at the expense of slightly weaker security, leave this option enabled. This will create another instance of unlocked encryption keys in the CommServe database, which can be used by synthetic full data protection operations only.

    Alternatively, you can clear this option and then export the pass-phrase to the MediaAgent computer in which the Synthetic Full job is run.

Direct Media Access (External Restore Tools)

The following options are available for key management, which is useful for recovering data. Note that by default a copy of the encryption key is stored in the CommServe Database Engine and will be used by all data recovery operations using the CommCell Console.

  • Via Media Password

    When selected, this specifies that a copy of the encryption key will be stored in the media.

    Be sure to specify a valid Media Password when selecting this option.

  • Via Pass-Phrase

    • The Pass-Phrase feature is deprecated. For similar functionality, use Privacy.
    • Clients with existing Pass-Phrase configurations are supported.

    When selected, encryption keys are locked with the user-supplied pass-phrase before being stored on the storage media. This mode is much more secure than Via Media Password, as the keys cannot be recovered without the pass-phrase. When trying to recover such data, you are prompted to provide the correct pass-phrase.

  • No Access

    When selected, encryption keys will not be stored on the storage media at all. This represents the highest media security level (regular CommCell Console/Database-driven recovery operations will still work).

Pass-Phrase

  • The Pass-Phrase feature is deprecated. For similar functionality, use Privacy.
  • Clients with existing Pass-Phrase configurations are supported.

  • Reset

    Enabled after an initial pass-phrase has been configured.

    When selected, opens the Reset Pass-Phrase dialog box.

  • Export

    Enabled after an initial pass-phrase has been configured.

    When selected, opens the Export Pass-Phrase dialog box.

Encryption

Use this dialog box to select the data encryption options for the selected content. When accessing this dialog box from the Subclient Properties Encryption tab, this setting applies only to the selected subclient content for operations run from the CommCell Console. When accessing this dialog box from the Instance Properties Encryption tab, this setting applies only to third-party Command Line operations. The functionality is not propagated to the Subclient Properties Encryption tabs.

  • The Pass-Phrase feature is deprecated. For similar functionality, use Privacy.
  • Clients with existing Pass-Phrase configurations are supported.

None

When selected, no encryption will take place during backup operations.

Media Only (MediaAgent Side)

When selected, for backup operations, data is transmitted without encryption and then encrypted prior to storage. During restore operations, data is decrypted by the client.

When using this setting in conjunction with the client property With a Pass-Phrase, you will be required to provide a pass-phrase for restore operations unless you export the client pass-phrase to the destination client(s). When using pass-phrase security for third-party Command Line operations or File Archiver Agents stub recover operation, you must export the pass-phrase to the destination client.

Network and Media (Agent Side)

When selected, for backup operations, data is encrypted before transmission and is stored encrypted on the media. During restore operations, data is decrypted by the client.

When using this setting in conjunction with the client property With a Pass-Phrase, you will be required to provide a pass-phrase for restore operations unless you export the client pass-phrase to the destination clients.

Network Only (Agent Encrypts, MediaAgent Decrypts)

When selected, for backup operations, data is encrypted for transmission and then decrypted prior to storage on the media. During restore operations, data is encrypted by the MediaAgent and then decrypted in the client.

When using this setting in conjunction with the client property With a Pass-Phrase, you will not be required to provide a pass-phrase for restore operations.

Script Preview

Click to display the backup script, based on the current subclient configuration, that will be submitted to third-party applications (for example RMAN for Oracle) when backups are performed for the selected subclient. (This option is available for agents that support script preview.)

Export Pass-Phrase

  • The Pass-Phrase feature is deprecated. For similar functionality, use Privacy.
  • Clients with existing Pass-Phrase configurations are supported.

Use this dialog box to export the selected pass-phrase to destination client computer(s). The pass-phrase is placed in a <hostname>.pf file which is copied to the <software installation path>\PF folders and is named for the source client. Should you disable encryption at some point, either at the client or subclient level, know that these exported files are not deleted.

Exporting a pass-phrase facilitates scheduled data recovery operations run from the CommCell Console, automatically bypassing the requirement of manually entering a pass-phrase. If you elect not to export the pass-phrase to destination clients, you will be required to enter the pass-phrase during immediate data recovery operations run from the CommCell Console.

Situations for which you must export the pass-phrase:

  • To run scheduled data recovery operations
  • For the DataArchiver Agent to run a Stub data recovery
  • For a third-party Command Line data recovery operations

Destination Computer

Select a client computer from the list of CommCell clients.

Pass-Phrase

Enter the source client's pass-phrase.

Re-enter Pass-Phrase

Re-enter the source client's pass-phrase for confirmation. Only one pass-phrase is allowed per client at any time. If you change the pass-phrase in the GUI, you will need to once again export it to the client.

Reset Pass-Phrase

  • The Pass-Phrase feature is deprecated. For similar functionality, use Privacy.
  • Clients with existing Pass-Phrase configurations are supported.

Use this dialog box to reset the pass-phrase used to protect the client's private key. The pass-phrase protects encryption keys in the CommServe database and on media from unauthorized access.

Only one pass-phrase is allowed per client at any time. If you change the pass-phrase, it affects both future and past data protection operations.

For example, if you ran a few encrypted data protection operations with pass-phrase set to “violet”, and then changed the pass-phrase to “purple”, you will need to enter “purple” when recovering that data. It works like this because pass-phrase is used to lock encryption keys rather than encrypt the data itself. When pass-phrase is modified, the keys are re-locked with the new pass-phrase.

Old Pass-Phrase

Enter the old pass-phrase.

New Pass-Phrase

Enter the new case-sensitive pass-phrase.

Re-enter New Pass-Phrase

Re-enter the new pass-phrase for confirmation.

Advanced Encryption Options

Use this dialog box to select advanced data encryption options for the selected client. These settings will only impact supported agents residing on the client. Refer to Books Online for a complete listing of products that support data encryption.

Restore Access

  • The Restore Access (pass-phrase) feature is deprecated. For similar functionality, use Privacy.
  • Clients with existing Pass-Phrase configurations are supported.

This group of settings specifies CommServe encryption key management policy, i.e., how the encryption keys are stored and accessed in the CommServe database.

  • Regular

    When selected, encryption keys are stored in the CommServe database unlocked, and encrypted data can be recovered without providing a pass-phrase. Use this mode only if you trust your CommServe, and have some other mechanisms to protect it from unauthorized access.

  • With a Pass-Phrase

    Initially enabled after selecting Direct Media Access option Via a Pass-Phrase.

    When selected, encryption keys are locked with a user-supplied pass-phrase before being stored in the CommServe database. Even if the database has been compromised, the encryption keys are still unusable without the pass-phrase. Note that in this mode encrypted data cannot be recovered without entering a correct pass-phrase.

    Do not choose a trivial or one-word pass-phrase. Remember that in this mode it is the pass-phrase that defines the security of your data. The more elaborate it is, the less likely it can be picked by a third-party.

    Loss of the pass-phrase signifies loss of all data previously protected.

    If you want to recover encrypted data without having to provide the pass-phrase for every recovery operation, you can export the source computer's pass-phrase to a destination computer.

    Enable Synthetic Full

    When selected, indicates that synthetic full data protection jobs can be performed when data encryption is enabled. Since running synthetic full data protection operations involves recovering data to a temporary buffer in memory, such data protection operations need a pass-phrase to access data encryption keys in the CommServe database.

    If you want the convenience of scheduling Synthetic Full data protection operations at the expense of slightly weaker security, leave this option enabled. This will create another instance of unlocked encryption keys in the CommServe database, which can be used by synthetic full data protection operations only.

    Alternatively, you can clear this option and then export the pass-phrase to the MediaAgent computer in which the Synthetic Full job is run.

Direct Media Access (External Restore Tools)

The following options are available for key management, which is useful for recovering data. Note that by default a copy of the encryption key is stored in the CommServe Database Engine and will be used by all data recovery operations using the CommCell Console.

  • Via Media Password

    When selected, this specifies that a copy of the encryption key will be stored in the media.

    Be sure to specify a valid Media Password when selecting this option.

  • Via Pass-Phrase

    • The Pass-Phrase feature is deprecated. For similar functionality, use Privacy.
    • Clients with existing Pass-Phrase configurations are supported.

    When selected, encryption keys are locked with the user-supplied pass-phrase before being stored on the storage media. This mode is much more secure than Via Media Password, as the keys cannot be recovered without the pass-phrase. When trying to recover such data, you are prompted to provide the correct pass-phrase.

  • No Access

    When selected, encryption keys will not be stored on the storage media at all. This represents the highest media security level (regular GUI/Database-driven recovery operations will still work).

Pass-Phrase

  • The Pass-Phrase feature is deprecated. For similar functionality, use Privacy.
  • Clients with existing Pass-Phrase configurations are supported.

  • Reset

    Enabled after an initial pass-phrase has been configured.

    When selected, opens the Reset Pass-Phrase dialog box.

  • Export

    Enabled after an initial pass-phrase has been configured.

    When selected, opens the Export Pass-Phrase dialog box.

Advanced Restore Options (Encryption)

  • The Pass-Phrase feature is deprecated. For similar functionality, use Privacy.
  • Clients with existing Pass-Phrase configurations are supported.

Use this tab to provide pass-phrase during data recovery operations.

Pass-Phrase

Enter the pass-phrase that is currently assigned to the client, whose data you are restoring. Note that if you have changed the pass-phrase since you secured the client data, you need to provide the new pass-phrase here, not the old one.

Re-enter Pass-Phrase

Re-enter the pass-phrase for confirmation.

If you attempt an immediate restore of encrypted data that was pass-phrase protected without entering the pass-phrase here, the restore operation will fail.

If you have an exported pass-phrase set up, and you enter the pass-phrase under Decryption, you over-ride (not overwrite) the client properties pass-phrase. Thus, if you enter the pass-phrase incorrectly, the restore does not complete successfully.