Configuring Encryption Key Management using Third-party Key Management Server
You can now protect SnapProtect software encryption keys with third-party key management server before storing the keys in the CommServe database. These third-party keys are required for restore and for auxiliary copy operations.
During data encryption, the data encryption key is encrypted with the storage policy copy RSA public key and can be decrypted only with this private key. The private key is encrypted using a master key from the third-party key management server. The master key is required for restore and auxiliary copy operations.
If you enabled third-party key management server on a deduplicated storage policy or copy, do not delete the third-party key associated with the deduplicated storage policy because for deduplicated data, the data blocks are referenced by multiple jobs. For more information, see How Deduplication Works.
If the key is deleted, the data associated with the deduplicated storage policy or copy will not be recoverable. In this situation, you need to create a new storage policy or copy and re-associate all subclients to new storage policy. For instructions on re-association, see Associating Subclients to a Different Storage Policy.
Before You Begin
- Make sure that encryption is enabled on the clients. For instructions, see Configuring Data Encryption on a Client.
- Obtain the third-part key management server CA certificates.
- Obtain the client certificates. Your CommServe machine is the client.
To configure data encryption to use third-party key management server, complete the following steps on the CommServe:
- Go to the Base directory of the SnapProtect software installation.
- Copy the configuration file KMIPServers_Template.ini to your desired location.
You need to configure the details of the third-party key management server in this file. This file contains example configurations for a single server and a cluster server. You can add multiple key management server configuration in one file. Also, you can create separate files for each key management server.
- In the KMIPServers_Template.ini file, enter the values for the following parameters:
Parameter Description KeyProviderName The name of the key provider. Currently, Safenet and Vormetric key providers are supported.
You should use this same name when adding the key management server in step 4.
host The IP address or hostname of the third-party key management server. In case of a cluster server, add the host values of all servers separated with a comma..
Note: For CommCell migration, make sure that both the source and the destination CommCells are pointing to the same third-party key management server.
port The port used by the key management server. In case of a cluster server, all servers should use the same port. certfile The location of the client certificate.
keyfile The location of the client certificate key.
ca_certs The location of the key management server CA certificate.
- Add the third-party key management server. For instructions, see Adding a Key Management Server.
- Associate the third-party key management server to a storage policy copy. For instructions, see Associating Storage Policy Copies to a Key Management Server .
When third-party key management server is enabled:
- The following text appears on the Advanced tab of the Copy Properties dialog box.
SafeNet Encryption: Enabled
- For new backup jobs, the third-party key is used to decrypt the private key during restore and Auxiliary Copy operations.
Existing backup jobs are not affected.
- After running backup or auxiliary copy jobs, the name of the CommServe, storage policy, and storage policy copy associated with the key, and the first and last retrieval time of the key are available from the Attributes tab of the Key Properties in the third-party key management server site.
What To Do Next
- Associate one or more storage policy copies to the third-party key management server. For instructions, see Associating Storage Policy Copies to a Key Management Server.
Also make sure that the third-party key management server associated storage policy is associated with the subclients that you plan to encrypt.
For each subclient, you can also select where the encryption is performed for the subclient data. For instructions, see Configuring Data Encryption on a Subclient or an Instance
- You can periodically rotate the third-party key management server encryption keys for additional security. For instructions, see Rotating Master Key for a Storage Policy Copy.