FAQ - Encryption in Commvault

Commvault offers a stand-alone Key Management System (KMS), where the keys are configured randomly. The keys are then encrypted and stored in the CommServe database.

In addition, it is possible to use the KMS of a third-party provider (third-party KMS). In principle, implementations that use the Key Management Interoperability Protocol (KMIP) or specific key management implementations from Amazon Web Services or Microsoft Azure are supported.

The master key decrypts the key encryption key (KEK).

In Passphrase Key Management, the master keys are stored on at least two systems and allow the data to be decrypted when it is backed up or restored. The master key enables internal encryption in the direction of the database, whereby the randomly generated key is additionally secured before it is stored in the database. The storage location of the key files is configurable, but at least two existing systems in the Commvault environment must be specified as a prerequisite for the backup.

The Passkey for Restore is an access management system that provides additional password protection for the symmetric key used to decrypt the backed-up data. If the passkey is lost, the backed up data is also irrevocably lost. This feature is not used to encrypt data in the backup path or storage destination. Backed up data in Commvault is natively encrypted both on the transfer and in the storage destination.
Passkey for Restore is a Commvault feature that allows the owner of a client to set a password that is then used to browse or restore operations. When a passkey is configured, the user performing a browse or restore must enter the passkey to perform the operation.