Verschlüsselung in Commvault [EN]

Keep data safe with encrypted backups. Encryption keys are locked up and stored safely to ensure no unauthorized access to backup data is obtained.

“Key” terms

Built-in KMS – Commvault manages all encryption keys including master keys
Passphrase KMS – file based KMS – master key protected by passphrase
Third Party KMS – Third party KMS manages master encryption keys

Master key –used to encrypt the private encryption key (KEK) unique per storage pool

Key encryption key (KEK):

• Public KEK is used to encrypt the data encryption key (DEK)

• Private KEK is used to decrypt the data encryption key (DEK)

DEK – Symmetric key used to encrypt/decrypt the backup data

Architecture

Backup Process build-in KMS

• A symmetric data encryption key (DEK) is generated by the CommServe® server for each client

• The DEK is sent to the client to encrypt the data

• The DEK is encrypted using the storage pools public KEK and stored in CommServe Database.

Restore Process build-in KMS

• The master key for the storage pool is used to decrypt the RSA private KEK from the CommServe® server DB

• The RSA private KEK is used to decrypt each symmetric key (DEK) from the CommServe DB

• The DEK is used to decrypt each archive file from the media