Data Encryption Overview
Data Encryption provides the ability to encrypt data both for transmission over non-secure networks and for storage on media. The flexibility of key management schemes makes data encryption useful in a wide variety of configurations.
The following data encryption methods are provided:
- Software encryption allows you to encrypt data during backup jobs, auxiliary copy job, and data replication job.
The Crypto Library module supports data encryption methods approved by the Federal Information Processing Standard (FIPS) as well as additional data encryption methods not approved by FIPS.
The National Institute of Standards and Technology (NIST) has the CommVault certification under the list of Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Modules In Process List that are currently being evaluated using the cryptographic module validation program (CMVP).
- Hardware encryption allows you to encrypt data on tape drives that have built-in encryption capabilities.
For information about the supported algorithms and key lengths, see Data Encryption Algorithms.
With any of the encryption methods, keys are always stored in the CommServe database. Optionally, you can store keys on the media. This can be useful when using the external tools such as Media Explorer to recover the data from the media.
- Software encryption is supported by all agents.
- Hardware encryption is supported by all MediaAgents, if the devices attached to these MediaAgents support encryption.
However, to confirm encryption support, we recommend that you refer to the drive vendors documentation. For more information on drive types supported by SnapProtect, see Hardware Matrix.
Note: Hardware encryption is only supported by tape libraries.
- Third-party hardware encryption
Hardware encryption devices with their own key management software such as Network Appliances (formerly Decru’s) Datafort can be used. These inline devices are transparent to the data flow from Commvault. However, data written through these devices must be restored through these devices and it is the customers responsibility to provide and manage these devices.