Veeam Backup & Replication - How to Encrypt Backups

Note: The description in the article is based on Veeam Backup & Replication 12.3, licensed using Veeam Universal License (VUL), which is equivalent to Enterprise Plus.

Backup Encryption

Backups often contain sensitive data, so it's crucial to prevent unauthorized access. In practice, we certainly deal with access permissions. Ideally, the backup network is separated (of course, it can't be isolated from the data it backs up). But it's still very important to use encryption. Especially if we store data on external media or in the cloud.

Backup encryption in Veeam Backup & Replication protects data if an attacker obtains backup files. They cannot attach them to Veeam and restore stored data, as would be possible with unencrypted backups. If an attacker gains access to the Veeam Backup & Replication console with sufficient rights, they can also access encrypted data. Encryption keys are stored in the configuration database, and automatic decryption occurs in many situations.

Official Documentation

• Data Encryption
• Communications Encryption
• Encrypting Backup Jobs
• Enabling Traffic Encryption
• Encryption Overview

Encryption Options

Generally, we can protect data with encryption in transit (Encryption In Flight / In Transit), most commonly using TLS and certificates. And/or encrypt stored data (Encryption At Rest) using an encryption key and cryptographic algorithm.

We can encrypt stored data by encrypting the storage and data is encrypted when stored. This can be handled by Veeam or directly by HW/SW storage or tape drives. But it might be better to encrypt data after loading during processing. They are then protected during transfer and storage. This is how job encryption works in Veeam Backup & Replication.

Encryption in Veeam Backup & Replication

Veeam uses standard encryption algorithms AES 256 bit and public key encryption (asymmetric algorithms). The general basics of encryption are described in the article A general introduction to data encryption.

In Veeam we can use

• Job encryption - set in job parameters under Advanced - Storage
• Storage encryption - we can enable
  • on storage Set Access Permissions - Encrypt standalone application backups stored in this repository, applies only to (selected) standalone applications (like unmanaged Veeam Agent)
  • for Scale-Out Backup Repository (SOBR), where we can set encryption for Capacity Tier or Archive Tier, then all stored backups are encrypted
• Network Traffic (Communication) Encryption - in main menu Network Traffic Rules

Note: In this article, we focus on job encryption.

Encryption Properties and Recommendations

• it's very important to encrypt Veeam Configuration Backup, because it contains some encryption keys, if the backup is encrypted, Veeam also stores credentials in it
• store the encryption password safely and accessibly (if infrastructure isn't working)
• deduplication almost doesn't apply to encrypted data when stored on deduplication storage (solution is to use encryption at storage level)
• with Veeam compression enabled, data is first compressed and then encrypted (at source)
• encryption has some performance impact, today's HW is often optimized
• multiple encryption (like job encryption and storage encryption simultaneously) means higher load
• by default, Veeam encrypts network traffic transmitted between public networks
• authorized user doesn't need password for data recovery from encrypted backup (under met conditions)
• we can use Veeam Enterprise Manager as protection against encryption password loss (then we must secure it sufficiently)

How Encryption Works in Veeam

For encryption we can use:

• Password, which generates symmetric Secret Key
• external KMS server (Key Management Service), which generates asymmetric KMS key

Secret Key is generated based on password, so it's necessary to use sufficiently long and complex (simply secure) password. For generation, 600,000 iterations of HMAC SHA256 and 512-bit salt are used.

Note: In this article, we primarily focus on using the encryption password. We can add (create) and manage it in the main menu Credentials and Passwords - Encryption Passwords or in job properties. To use KMS server, we must add it in main menu Credentials and Passwords - Key Management Servers.

Veeam Backup & Replication encrypts backup files using Data Encryption Keys (DEK). Then it transfers encrypted data to target side and stores it in backup storage. For each job session a unique symmetric encryption key is generated, which is used to encrypt each data block. This key (Session Key) is encrypted using DEK and stored in backup file. Data Encryption Keys are encrypted with secret key (AES 256 bit) or KMS key (RSA 4096 bit) and stored in configuration database.

Encryption typically happens at the source, which can be Backup Proxy or Source Backup Repository. If we use WAN accelerator for Backup Copy Job, encryption is performed on the target WAN accelerator.

Job Encryption

Job encryption is supported for following jobs:

• Backup Job
• Backup Copy Job
• File Backup Job
• Object Storage Backup Job
• VeeamZIP Sessions
• Veeam Agent Backup Job / Policies
• Configuration Backup Job

Note: Veeam Plug-ins don't support encryption and must not have encryption enabled on target storage (Storage Encryption) - Encrypt standalone application backups stored in this repository.

Encryption Configuration Behavior

• when we enable encryption on existing job, it automatically creates active full backup on next run (session) (therefore it's not suitable to enable encryption on many jobs at once)
• this Full Backup and subsequent increments will be encrypted (previous backups won't)
• if we change password, newly created incremental backups will be encrypted with new password
• if we disable encryption, unencrypted full backup will be created and continues without encryption

Using Deduplication, Compression and Fast Clone

Veeam deduplication and compression of backup file still works the same after enabling encryption. Full backup size is same as before encryption.

Encryption is not suitable if we use deduplication storage. Data is first encrypted (different encryption keys are used for each job session) and then stored, which negatively affects deduplication ratio.

If we use ReFS or XFS filesystem with Fast Clone feature, we can benefit from saved space even after enabling encryption. However, when we enable encryption on existing job, encrypted full backup is created. It won't use Fast Clone (encrypted blocks are different than unencrypted) and we need enough free space. Subsequent backups will use Fast Clone.

Encryption Settings (primarily for Backup Job and Backup Copy Job)

We can set encryption when creating new job or by editing existing settings.

• Veeam Backup & Replication Console
• Home - Jobs
• create new job or edit existing
• for Backup Job it's Storage - Advanced - Storage

• for Backup Copy Job it's Target - Advanced - Storage

• Enable backup file encryption and select or add encryption password

Encryption Impact on Backup Copy Job Dependent on Backup Job

If we set encryption for Backup Job that is source for Backup Copy Job, nothing changes for Backup Copy Job. It continues copying only increments and they are unencrypted. Only when we set encryption on Backup Copy Job, Full Backup is performed and is encrypted. We can encrypt Backup Copy Job even if source Backup Job is unencrypted.

How to Recognize Encrypted Backup

VBK and VIB files look same at first glance. But when we look into VBM file, we see that individual items (sensitive information) XML are encrypted. In XML element BackupMeta we find attribute EncryptionState="2" (for unencrypted backups it's 0).

In backup list in Veeam Backup & Replication Console encrypted backup icon has key overlay. This applies even when only part of chain is encrypted (we enabled encryption additionally).

In job log of performed actions we see action Backup file will be encrypted.

When Password is Required for Decryption

For many operations with backups (recovery, health check etc.) we need to first decrypt them. This can happen automatically in background or we must do it manually by entering password. Automatic decryption happens on same backup server with same database (where data encryption keys are stored), if backup wasn't removed. If we import backup, we must always enter password.

This means that a user (with sufficient rights) logged into Veeam Backup & Replication Console can restore data from encrypted backup without knowing the encryption password.

Importing Encrypted Backup

When we import encrypted backup, we must decrypt it by entering password. It doesn't matter whether we perform manual import (button Import Backup) or scan storage (on storage Rescan).

• encrypted backup appears under Backups - Disk (Encrypted)

• select Decrypt backup (or button Specify Password) and enter password

• backup decryption occurs and it moves under Backups - Disk (Imported)

Note: If password change occurred during backup chain creation, some backup files are encrypted with different password. If we import VBM, we must enter the last password. If we import VBK, we must enter entire set of passwords that were used to encrypt data in the chain.