FAQ - Encryption in Commvault
Commvault offers a stand-alone Key Management System (KMS), where the keys are configured randomly. The keys are then encrypted and stored in the CommServe database.
In addition, it is possible to use the KMS of a third-party provider (third-party KMS). In principle, implementations that use the Key Management Interoperability Protocol (KMIP) or specific key management implementations from Amazon Web Services or Microsoft Azure are supported.
last changed on 01/08/2024
How did this content help you?
last changed on 01/08/2024
How did this content help you?
last changed on 01/08/2024
How did this content help you?
last changed on 01/08/2024
How did this content help you?
The master key decrypts the key encryption key (KEK).
In Passphrase Key Management, the master keys are stored on at least two systems and allow the data to be decrypted when it is backed up or restored. The master key enables internal encryption in the direction of the database, whereby the randomly generated key is additionally secured before it is stored in the database. The storage location of the key files is configurable, but at least two existing systems in the Commvault environment must be specified as a prerequisite for the backup.
last changed on 01/08/2024
How did this content help you?
last changed on 01/08/2024
How did this content help you?
last changed on 01/08/2024
How did this content help you?
The Passkey for Restore is an access management system that provides additional password protection for the symmetric key used to decrypt the backed-up data. If the passkey is lost, the backed up data is also irrevocably lost. This feature is not used to encrypt data in the backup path or storage destination. Backed up data in Commvault is natively encrypted both on the transfer and in the storage destination.
Passkey for Restore is a Commvault feature that allows the owner of a client to set a password that is then used to browse or restore operations. When a passkey is configured, the user performing a browse or restore must enter the passkey to perform the operation.
last changed on 01/08/2024
How did this content help you?
- Support requests can be made via the IT Service Desk by email to servicedesk@itc.rwth-aachen.de, phone (+49 241 8024680) or chat via IT Center Help.
- The following information must be included in my request:
- Job ID
- Operating system
- FQDN/ Client Name
- Contact person
- Group/Context ID and Institute
- Role
last changed on 09/20/2022
How did this content help you?
- Backup migration is not about migrating data, but about migrating new backup clients.
- Specifically, the appropriate software package is installed here and then the client is registered in Commvault.
- The initial full backup is then performed automatically via the server plan assignment.
last changed on 09/20/2022
How did this content help you?
- In order to use the Backup and Restore service in the Commvault Backup System, you must have the decentralized Backup Admin or DaSi Local Admin role. (see Getting Started with Commvault).
- The administration of permissions within Commvault is managed by the IT Center or the respective service provider center.
last changed on 12/22/2022
How did this content help you?
- You can view the list of permissions in the Commvault Command Center at https://console1.dasi.rwth-aachen.de/.
- Click on 'Manage', then on 'Security', then on 'Roles' and under 'Permissions' you will see the list of all permissions.
last changed on 01/08/2024
How did this content help you?
- The data is encrypted throughout the entire system, i.e. over the entire lifetime.
- There will be no client encryption, MGMT provides security via server key management.
last changed on 09/20/2022
How did this content help you?
- Basically, all persons with the DaSi Local Admin role who belong to a group (Org ID) are authorized to administrate clients of this corresponding group. (The role Administration Backup or DaSi Local Admin is a role that is assigned centrally).
last changed on 12/22/2022
How did this content help you?
- Wide range: WIN current variants, MacOS, Linux derivatives, very many UNIX systems, some integrations for storage appliances, and many more.
last changed on 09/20/2022
How did this content help you?
- The monthly backups are kept for six months.
last changed on 12/22/2022
How did this content help you?
- There will be no Linux repo in the classic sense, but an improvement to TSM.
- The HTTP repo download will only be necessary for the initial installation.
last changed on 12/22/2022
How did this content help you?
- Prior data encryption is not provided, but it is possible. We are currently working on the processes.
last changed on 12/22/2022
How did this content help you?
- The changeover of the TSM backup to "Read Only" will take place on 17.01.2023, i.e. after this date no backups will be accepted via TSM. Until then we ask all backup users to change their systems.
- The TSM system will still be available for a restore for a certain period of time.
last changed on 12/22/2022
How did this content help you?
- Generally, the software on the clients is updated via the CommServe.
last changed on 12/29/2022
How did this content help you?
You can usually reach the admin console when you log in for the first time. If this is not the case, you can also access it via the address bar at console1.dasi.rwth-aachen.de. If you are on the admin console, there is a link to the web console at the bottom left of the menu.
You can access the web console by logging in to the admin console and then following the link to the web console (bottom left of the menu). If you have been automatically logged out, you will also be redirected to the web console.
last changed on 01/08/2024
How did this content help you?
last changed on 01/08/2024
How did this content help you?
We ask for your understanding that we cannot provide any information on release dates at this time. However, we will inform you via the Backup-Info mailing list (backup mailing list) about the about the corresponding roll-outs.
last changed on 01/08/2024
How did this content help you?
Addresses: 2a00:8a60:1:c661:1000::1
137.226.205.214
Name: console2.dasi.RWTH-Aachen.de
Addresses: 2a00:8a60:1:c661:1000::4
137.226.205.215
Mediaagents
137.226.205.240/28
137.226.205.224/28
2a00:8a60:1:c608::/64
2a00:8a60:1:c609::/64
last changed on 01/08/2024
How did this content help you?
On the client side, ports 8400 and 8403 must be open.
Commvault establishes a VPN connection via these ports.
last changed on 01/08/2024
How did this content help you?
last changed on 01/08/2024
How did this content help you?