Last post 04-19-2018, 6:13 PM by jpeake. 6 replies.
Sort Posts: Previous Next
  • Encryption
    Posted: 03-27-2018, 10:02 AM


    I have enabled HW Encryption and selected "Via Media Password" for Direct Media Access (Properties of the Data Path in the Storage Policy Copy).

    I am not asked for a password however.

    This seems strange to me. How does this work then?

    Second question, is Commvault Software Compression a better choice? I only want Encryption (in rest) on the Secondary Copy to Tape (not needed for the Primary Copy on Disk).


  • Re: Encryption
    Posted: 03-27-2018, 7:57 PM

    Hi iConsultant

    For HW Encryption, using "Via Media Password" for Direct Media Access, the reason why a password is not required is as follows:

    "When selected, hardware encryption of data (with a copy of the encryption key stored in the media) will be enabled on all data paths with tape drives."

    As such a password will not be required.

    Reference Documentation - http://documentation.commvault.com/commvault/v11/article?p=14083.htm (search on Hardware Encryption (Direct Media Access: Via Media Password)

    Also for CommVault Software Compression, it would be recommended, so we can reduce capacity footprint before writing to Media Library. 

    Thank you 


  • Re: Encryption
    Posted: 03-28-2018, 4:19 AM

    Thanks for your answer!

    But if the copy of the key is stored on the media and no password is needed, what does that mean for encryption? That still everyone can access the data using an external tool, outside the CommCell? Then what's the use of it? (Just asking.)

    I meant by the way Commvault Software Encryption (in stead of Compression). Can I use Software Encryption for backups on Tape only (in rest), is that a good idea and how to configure that?


    Btw I attach a screenshot of the options that confuse me so much.

  • Re: Encryption
    Posted: 03-29-2018, 4:06 AM

    If the key is on the media then in theory someone can access your data.
    Most secure way would be the "No Access" option, this way the only way to recover data is by using the Commvault database as here the keys are a known factor.

    Encryption can be set on storage policy copy level (advanced tab), I would recommend AES 256 bit

    Jos Meijer
    Senior Technical Consultant
  • Re: Encryption
    Posted: 03-29-2018, 4:47 AM

    Thanks, seems valid.

    When I do NOT encrypt data on the Primary Copy to Disk, then I should I choose "Re-encrypt data..."?

    Re-encrypt also meaning "encrypt (for the first time)" probably.

  • Re: Encryption
    Posted: 03-29-2018, 4:54 AM

    If the primary copy is not encrypted you will need to set the Re-encrypt option to be able to select a algorithm for the secondary copy, assuming you do not use global deduplication.

    Otherwise the global deduplication setting will be leading, btw the encryption is grayed out in this case within the advanced tab of the storage policy copy.

    Global deduplication encryption settings can be found on the global ddb storage policy's primary copy properties - advanced tab.

    Jos Meijer
    Senior Technical Consultant
  • Re: Encryption
    Posted: 04-19-2018, 6:13 PM

    If you are using HW encryption on the tape drives (this is enabled on each path on "data paths" tab), then you should select "store plain text" on the advanced tab.  No sense having CV software encypt and in addition having tape hardware encrypt.

The content of the forums, threads and posts reflects the thoughts and opinions of each author, and does not represent the thoughts, opinions, plans or strategies of Commvault Systems, Inc. ("Commvault") and Commvault undertakes no obligation to update, correct or modify any statements made in this forum. Any and all third party links, statements, comments, or feedback posted to, or otherwise provided by this forum, thread or post are not affiliated with, nor endorsed by, Commvault.
Commvault, Commvault and logo, the “CV” logo, Commvault Systems, Solving Forward, SIM, Singular Information Management, Simpana, Commvault Galaxy, Unified Data Management, QiNetix, Quick Recovery, QR, CommNet, GridStor, Vault Tracker, InnerVault, QuickSnap, QSnap, Recovery Director, CommServe, CommCell, SnapProtect, ROMS, and CommValue, are trademarks or registered trademarks of Commvault Systems, Inc. All other third party brands, products, service names, trademarks, or registered service marks are the property of and used to identify the products or services of their respective owners. All specifications are subject to change without notice.
Copyright © 2019 Commvault | All Rights Reserved. | Legal | Privacy Policy