Link Menu Expand (external link) Document Search Copy Copied
Veeam

Backup and Backup Copy Job Encryption

What does it do?

Backup and backup copy job encryption is designed to protect data at rest. These settings protect data confidentiality in case of an unauthorized user gaining access to backup files. Authorized users of the Veeam console do not need to know the password to restore data from encrypted backups. Encryption does not prevent authorized Veeam users from being able to access data stored in backups.

How does it work?

Encryption requires encryption keys, creating using mathematical symmetric cryptography.

  • for each backup session a unique session key is generated automatically and stored in the backup file;
  • backup file is encrypted with the backup encryption key;
  • each data block is encrypted using the session key (previously generated for the current job session and stored in the backup file);
  • in case Password Loss Protection is enabled, an additional copy of session key is stored in the backup file, and this copy is encrypted with the Enterprise Manager’s encryption key.

This approach provides a method for encrypting backups without compromising backup performance.

Local keys or Key Management Server (KMS)

Veeam Backup & Replication allows the use of two type of keys:

  • keys manually created directly inside the Veeam console
  • keys automatically supplied by a Key Management Server

KMS is more secure, as it allow automatic rotation of the keys (so avoiding using the same key for too long) and it maintains a remote copy of the every key for later retrieval.

When to use it?

To guarantee Data Confidentiality, encryption should be used whenever possible, to prevent unauthorized access and exflitration. Encyption is even more important when backups are transported offsite. Common scenarios are:

  • Offsite backups to a repository using rotated drives
  • Offsite backups using unencrypted tapes
  • Offsite backups to a Veeam Cloud Connect provider
  • Regulatory or policy based requirements to store backups in encrypted form

Note: Active full backup is required after enabling encryption to take effect.

Best Practices

  • Enable encryption whenever possible, and especially if you plan to store backups in locations outside of your security domain.
  • While CPU usage for encryption is minimal for most modern processors, some amount of resources will still be consumed. If Veeam backup proxies are already highly loaded, take it into account prior to enabling job-level encryption.
  • Prefer a KMS for password management. If not possible use strong passwords and change them regularly.
  • Store passwords in a secure location.
  • Obtain Enterprise or a higher level license for Veeam Backup & Replication, configure Veeam Backup Enterprise Manager and connect backup servers to it in order to enable Password Loss Protection.
  • Export a copy of the active keyset from Enterprise Manager (see User Guide for more information).
  • Back up the Veeam Backup Enterprise Manager configuration database and create an image-level backup of the Veeam Backup Enterprise Manager server. If these backups are also encrypted, make sure that passwords are not lost as there will be no Password Loss Protection for these backups.

References

Back to top

Copyright © 2025 Solutions Architects, Veeam Software.