Encryption
Data protected in backups and replicas are highly sensible. Unauthorized access can lead to corruption, deletion or exfiltration. For these reasons, it’s highly suggested to use Encryption to protect the confidentiality of the data. To secure data stored in backups and replicas, follow these guidelines:
At rest
Use Veeam Backup & Replication built-in encryption to protect data in backups. To guarantee security of data in backups, follow Encryption Best Practices from Veeam Backup & Replication user guide.
One of the operational issues with Keys is their rotation: people tend to configure a secret key and then stick to it for a long time, because changing them is cumbersome. In this way, keys become old and may be subjected to Harvest now, decrypt later attacks. To avoid this problem, Veeam support the use of KMS (Key Management Server).
Note: Enabling encryption on deduplicated storage might affect the deduplication ratio.
In transit
Backup and replica data can be intercepted in-transit, when it’s transferred from source to target over a network. To secure the communication channel for backup traffic, consider these guidelines:
- Isolate backup traffic. Use an isolated network to transport data between backup infrastructure components — backup server, backup proxies, repositories and so on (also see segmentation)
- Encrypt network traffic. By default, Veeam Backup & Replication encrypts network traffic traveling between public networks. To ensure secure communication of sensitive data within the boundaries of the same network, you can also encrypt backup traffic in private networks. For details, see Enabling Network Data Encryption.
Note: Enabling Network Encryption from Veeam Backup & Replication user guide.