Loading...

Advanced Encryption Options

Use this dialog box to select advanced data encryption options for the selected client. These settings will only impact supported agents residing on the client. Refer to Books Online for a complete listing of products that support data encryption.

Restore Access

The Pass-Phrase feature is deprecated. For similar functionality, use Privacy.

See End-of-Life, Deprecated and Extended Support - Features for comprehensive information on deprecated features.

This group of settings specifies CommServe encryption key management policy, i.e., how the encryption keys are stored and accessed in the CommServe database.

  • Regular

    When selected, encryption keys are stored in the CommServe database unlocked, and encrypted data can be recovered without providing a pass-phrase. Use this mode only if you trust your CommServe, and have some other mechanisms to protect it from unauthorized access.

  • With a Pass-Phrase

    Initially enabled after selecting Direct Media Access option Via a Pass-Phrase.

    When selected, encryption keys are locked with a user-supplied pass-phrase before being stored in the CommServe database. Even if the database has been compromised, the encryption keys are still unusable without the pass-phrase. Note that in this mode encrypted data cannot be recovered without entering a correct pass-phrase.

    Do not choose a trivial or one-word pass-phrase. Remember that in this mode it is the pass-phrase that defines the security of your data. The more elaborate it is, the less likely it can be picked by a third-party.

    Loss of the pass-phrase signifies loss of all data previously protected.

    If you want to recover encrypted data without having to provide the pass-phrase for every recovery operation, you can export the source computer's pass-phrase to a destination computer.

Enable Synthetic Full
When selected, indicates that synthetic full data protection jobs can be performed when data encryption is enabled. Since running synthetic full data protection operations involves recovering data to a temporary buffer in memory, such data protection operations need a pass-phrase to access data encryption keys in the CommServe database.

If you want the convenience of scheduling Synthetic Full data protection operations at the expense of slightly weaker security, leave this option enabled. This will create another instance of unlocked encryption keys in the CommServe database, which can be used by synthetic full data protection operations only.

Alternatively, you can clear this option and then export the pass-phrase to the MediaAgent computer in which the Synthetic Full job is run.

Direct Media Access (External Restore Tools)
The following options are available for key management, which is useful for recovering data. Note that by default a copy of the encryption key is stored in the CommServe Database Engine and will be used by all data recovery operations using the CommCell Console.
  • Via Media Password

    When selected, this specifies that a copy of the encryption key will be stored in the media.

    Note: Ensure to specify a valid Media Password when selecting this option.

  • Via Pass-Phrase

    The Pass-Phrase feature is deprecated. For similar functionality, use Privacy.

    See End-of-Life, Deprecated and Extended Support - Features for comprehensive information on deprecated features.

    When selected, encryption keys are locked with the user-supplied pass-phrase before being stored on the storage media. This mode is much more secure than Via Media Password, as the keys cannot be recovered without the pass-phrase. When trying to recover such data, you are prompted to provide the correct pass-phrase.

  • No Access

    When selected, encryption keys will not be stored on the storage media at all. This represents the highest media security level (regular CommCell Console or Database-driven recovery operations will still work).

Pass-Phrase

The Pass-Phrase feature is deprecated. For similar functionality, use Privacy.

See End-of-Life, Deprecated and Extended Support - Features for comprehensive information on deprecated features.

  • Reset

    Enabled after an initial pass-phrase has been configured.

    When selected, opens the Reset Pass-Phrase dialog box.

  • Export

    Enabled after an initial pass-phrase has been configured.

    When selected, opens the Export Pass-Phrase dialog box.