Backup Repository Encryption
Usually, Encrpytion at rest in Veeam Backup & Replication is configured at the Job level. There are however two scenarios where the configuration is done at the Repository level.
Repository-level Encryption for Veeam Agents
Within the Veeam Backup & Replication console’s repository toolbar, there is a button named “Set Access Permissions”. The same command can also be found by opening an existing repository’s context menu:
Both open a dialog where not only access permissions but also encryption can be configured for the selected repository:
NOTE 1: enabling encryption in this dialog does NOT lead to a configuration forcing all backups targeting this repository to be encrypted.
This setting applies to:
- Veeam Agents operating in the standalone mode
- Veeam Backup for Nutanix AHV
- Veeam Backup for Proxmox VE
- Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization
- Veeam Kasten for Kubernetes
For more information see the corresponding User Guide section Encrypting Standalone Application Backups in Backup Repositories.
NOTE 2: When encryption is enabled at the repository level (as explained in this section) Veeam cannot use this repository as a target for any Application Plug-Ins (SAP, Oracle, DB2, MSSQL). See Backup Repository limitations.
Object Storage Repository Encryption in Capacity Tier
When creating or configuring an object storage repository within Veeam Backup & Replication, there is no option to enable encryption of data going into this repository. However, as soon as such an object storage repository is added as Capacity Tier to a Scale-out Backup Repository (SOBR), you will find the encryption setting in the corresponding Capacity Tier settings of the SOBR:
By enabling this setting and providing an encryption password, all backup data offloaded or copied to the Capacity Tier’s object storage target will be encrypted “at source” before being uploaded (see also Add Capacity Tier in the User Guide).
This applies to backup data created by backup or backup copy jobs that target this SOBR regardless of the jobs’ encryption settings. This also means that (via source job settings) already encrypted backup data will be encrypted again before being uploaded to object storage. Be aware that this will consume additional compute resources and create a performance impact, a fact that might be considered a waste of resources. That said, if Capacity Tier encryption has been disabled, backup data encrypted by the source job’s settings will be uploaded unmodified to the object stroage target, thus it stays encrypted.
Note: Some cloud object storage providers offer “encryption at rest” as a service where incoming data will be encrypted before being stored. Veeam Backup & Replication does not use any of these encryption services but instead is always performing encryption “at source” if enabled as described above.
Object Storage Repository Encryption in Archive Tier
Encryption can also be configured individually for SOBR Archive Tier, as Capacity Tier can be skipped in order to directly offload from Performance tier to Archive Tier.
For more information, see Encryption for Archive Tier.
Note also the important information contained in Add Archive Tier: “If you have encryption on the capacity tier level, but do not enable encryption on the archive tier level, the backups will not be encrypted in the archive tier.”
Best Practices
- Enable encryption for each repository where you plan to store unmanaged Agents’ backup data and when this backup data is going to be moved/copied to another location outside of your security domain.
- Enable Capacity Tier and Archive Tier encryption whenever you are not encrypting your on-premises backups (via job settings) and/or the targeted object storage is outside your security domain (e.g. public cloud provider storage service). In general consider to enable encryption whenever possible.
- If backups are encrypted by job settings, enabling additional Capacity Tier encryption will have a performance impact and consume extra compute resources as encryption will be performed twice.
- Best practices mentioned in Backup and Backup Copy Job Encryption apply just the same.
References
- Repository Access Permissions
- Capacity Tier
- Add Capacity Tier
- Backup Repository limitations
- Encrypting Standalone Application Backups in Backup Repositories
- Encryption for Archive Tier
- Add Archive Tier