Encryption in Commvault
On this page we would like to give you an overview of the encryption topic within the Commvault software.
Additional information can be obtained by following the links below.
Note: Since the key is only known on the client side, the ability to restore depends on the accessibility of the key. This means that the IT center, as the service provider, has no way to restore your data if your key is no longer known to you.
Commvault software offers a standalone Key Management System (KMS) that includes the ability to generate random encryption keys for the stored data and also manage the secure storage of these keys in the CommServe database.
In the Commvault environment, multiple keys are used to back up your data. Which keys are used and what is their function?
- DEK (Data Encryption Key) - Encrypts backup data
- KEK Public-Private Key Pair (Key Encryption Key) - Encrypts DEK
- Master Key - Encrypts KEK
- Built-in Key – Encrypts Public KEK and Master Key
To illustrate the encryption processes, you can view the workflow for the backup and restore case under Commvault Management of Encryption Keys.
In addition, it is possible to protect the keys that exist within Commvault Encryption using third-party key management before they are stored in the CommServe database. Generally supported are implementations that use the Key Management Interoperability Protocol (KMIP) or specific key management implementations from Amazon Web Services or Microsoft Azure. You can see which algorithms are supported in the linked overview: Supported Algorithms for Software Encryption
What can passkeys be used for?
The Passkey for Restore is an access management system that provides additional password protection for the symmetric key used to decrypt the backed-up data. If the passkey is lost, the backed up data is also irrevocably lost. This feature is not used to encrypt data in the backup path or storage destination. Backed up data in Commvault is natively encrypted both on the transfer and in the storage destination.
Passkey for Restore is a Commvault feature that allows the owner of a client to set a password that is then used to browse or restore operations. When a passkey is configured, the user performing a browse or restore must enter the passkey to perform the operation.