How are Encryption Keys derived and maintained?

Commvault utilizes the CTR_DRBG random number generator for generating encryption keys. Additionally, the software uses diverse random data supplied by the operating system to provide a dynamic seed for the random number generator.

The software generates the keys as follows:

• Random 128-bit or 256-bit data encryption keys (DEK) for every client and storage policy copy combination, and initial vectors (IV) for CBC chaining during data encryption.
• Random 128-bit or 256-bit master key for the storage policy copy in absence of third-party key management server

The software employs the AES Key Wrap Specification for securely encrypting encryption keys, storing them in the CommServe database with embedded CRC32 checksums. Only CRC32 is utilized for verifying key entry accuracy. If an error is detected, the software prompts the user to investigate potential network or media issues.

Refer to Key Lifecycle section in the documentation to understand key management for different types of encryptions.