Configuring Data Encryption on a Storage Policy Copy
You can enable encryption on a storage policy copy to encrypt data during data protection operations. Data Encryption on a storage policy copy is useful in the following scenarios:
- You are sending media to an off-site location, and you want to ensure that the data on media is not readable if the media is lost or stolen.
- You are performing a backup to a disk library and you want to copy that data to a tape in encrypted form. However, you do not want to consume the time and resources required to encrypt the data during the backup.
- You are protecting data from multiple organizations and you want to ensure one organization cannot read the data from another.
About This Task
- By default, data encryption is not enabled in the primary copy. But you can enforce data encryption on all the copies as follows:
- By selecting the Software Encryption (using Blowfish with Key Length 128) option while creating the storage policy. For more information, see Storage Policy - Getting Started.
- By enabling the Always enable encryption on new copies option in Media Management Configuration: Service Configuration. This enables software encryption (using Blowfish with Key Length 128) in the storage policy copies, even if the encryption setting is not selected explicitly while creating a new Storage Policy or a new secondary copy. (If necessary, you can modify the default encryption settings from the Storage Policy Copy Properties after the storage policy is created. )
- For new secondary copies, Preserve encryption mode as in source option is selected by default when the Always enable encryption on new copies is not enabled.
- If needed, the Use Storage Policy Settings option can be enabled from the Advanced Client Properties dialog box to manage the encryption settings for all the clients pointing to the storage policy. (See Configuring Data Encryption on a Client for information on enabling this option.)
The encryption settings and the resultant behavior:
Always Enable Encryption On New Copies Primary Copy Secondary Copy On Encryption is enabled Re-encrypts the data Off Encryption is not enabled Preserve encryption mode as in source option is selected then no data is encrypted. However, if clients have encrypted data then that encryption is preserved.
- Data encryption keys are generated per storage policy copy of the archive file. If there are multiple copies in a storage policy, the same archive files in each copy gets a different encryption key. Individual archive files, however, will have different encryption keys.
Note: When encryption is enabled on a storage policy copy, data can be encrypted before writing it to the media and keys are stored in the CommServe database. If the media is misplaced, recovery of the data without the CommServe is impossible.When the Always enable encryption on new copies option is enabled in Media Management Configuration: Service Configuration tab, software encryption (using Blowfish with Key Length 128) is enabled in the primary copy, even if the encryption setting is not selected explicitly during the storage policy creation process.
- When encryption is enabled on a storage policy copy, data can be encrypted before writing to the media and keys are stored in the CommServe database. If the media is misplaced, recovery of the data without the CommServe is impossible.
- From the CommCell Browser, expand Policies > Storage Policies > storage_policy.
- Right-click the appropriate storage policy copy, and then click Properties.
- In the Copy Properties dialog box, on the Advanced tab, select the following settings:
- For primary copy, select the Encrypt Data check box.
- For auxiliary copy operation, choose one of the following data encryption options.
Note: The Preserve encryption mode as in source, Re-encrypt data using selected cipher, and Store plain text options are applicable only for secondary copy.
Options Description Preserve encryption mode as in source Data is copied to secondary storage with the existing cipher used to encrypt the backup data.
Re-encrypt data using selected cipher The backup data to be copied is re-encrypted with the cipher used on the selected storage policy copy. Store plain text The backup data to be copied is stored as plain text on the secondary storage. Encrypt on network using selected cipher The backup data to be copied is encrypted during transmission and then stored as plain text on the secondary storage.
- Under Data Encryption Algorithm, select the following:
- From the Cipher list, select appropriate encryption algorithm.
- From the Key Length list, select appropriate key length.
- Under Direct Media Access (External Restore Tools), choose whether to enable or disable the encryption keys store:
- To enable the encryption keys store on the media, select Via Media Password.
- To disable the encryption keys store on the media, select No Access.
For detailed information, see Copy Properties Advanced.
- Click OK.
What to Do Next
Enable the Disallow changes to encryption settings on storage policy option in Media Management Configuration: Service Configuration tab to prevent the encryption settings from being accidentally altered by users once it is established.
Tip: After changing the value, press F5 to refresh the setting in the Storage Policy Copy to ensure that the change is reflected in the copies.