Enabling Server-Side Encryption with Amazon S3-Managed Keys (SSe-S3)

Commvault supports dual-layer server-side encryption with AWS KMS (DSSE-KMS). If you are using Amazon S3 buckets with Server Side Encryption (SSE) disabled at the bucket policy level, you can optionally instruct Commvault software to write SSE-S3 or SSE-KMS encrypted objects.

Note

Reading encrypted data is transparent to Commvault software, as long as the required access to KMS key is granted.

Procedure

Apply the following additional settings to your MediaAgents and/or Access Nodes performing read/write activities to your Amazon S3 encrypted cloud storage.

For instructions about adding an additional setting from the CommCell Console, see Adding an Additional Setting from the CommCell Console.

Additional Setting	Category	Type	Value
nCloudS3ServerSideEncryption	MediaAgent	Integer	Enter one of the following values: 0: Do not use Server-Side Encryption (default) 1: Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) 2: Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS). Use MediaAgent/sCloudS3ServerSideEncryptionKMSKeyID to set the KMS key.
sCloudS3ServerSideEncryptionKMSKeyID	MediaAgent	String	Use this key to set the KMS key ID, when the value of nCloudS3ServerSideEncryption is set to 2. Create the key from AWS console and get the KMS key ID. If this key is not set, the default AWS KMS key will be used.

Additional Setting

Enabling Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)

Procedure