Discussions related to using object storage as a backup target.
Post Reply
Lewpy
Enthusiast
Posts: 80
Liked: 17 times
Joined: Nov 27, 2012 1:00 pm
Full Name: Lewis Berrie
Location: Southern England
Contact:

SOBR with S3 Object Capacity Tier Encryption Question

Post by Lewpy »

We had an existing SOBR between local ReFS (Performance Tier) and S3 Object Storage (Capacity Tier) in Copy Mode.
The S3 Object Storage connection has always had encryption enabled, and this has been fine.
As part of a security review, it was decided to enable encryption on the local ReFS repository (Performance Tier) so encryption was enabled for the Backup Jobs.
This triggered a new full backup of each Backup Job, as expected.
What wasn't so expected was that this also triggered a full copy up to S3 Object Storage: each new VBK showed a full transfer of data to S3, rather than an incremental amount.
The encryption keys for local encryption and S3 Object Storage encryption are different.
I had assumed that the local backups would get decrypted and re-encrypted with the S3 encryption key [similar to if you used a Backup Copy Job with different encryption keys], but that looks not to be the case?
Does this mean that the data stored in S3 Object Storage is now effectively "double encrypted"? It would explain why the S3 Object Storage saw the new full backups as completely new data: it's all encrypted and bears no resemblance to the previous backups.
Will this cause a long term problem with the S3 Object Storage, in that feeding it encrypted backup data would cause it not to be able to "share" blocks or similar? I don't believe so, as Veeam itself is in charge of how the data is stored in S3 Object Storage so can track shared data whether encrypted or not, but I have made a few incorrect Veeam-related assumptions recently so not entirely sure.

Thanks,
Lewis.
david.domask
Veeam Software
Posts: 1865
Liked: 450 times
Joined: Jun 28, 2016 12:12 pm
Contact:

Re: SOBR with S3 Object Capacity Tier Encryption Question

Post by david.domask » 1 person likes this post

Hi @Lewpy,

When you have both job level and Capacity Tier encryption set, indeed, the backups are effectively "double-encrypted":

https://helpcenter.veeam.com/docs/backu ... encryption

Keep in mind, our encryption is "transparent" to our data-mover operations, so such configurations still benefit from the Capacity Tier space savings, but it was effectively the Encryption Active Full that caused the additional offloads for this session (since it's starting a new backup chain by enabling encryption), but this should not be repeated after the initial chain was offloaded and you will see it return to normal moving forward.

You are correct, there's no issue with the block sharing here because as noted Veeam's encryption is "transparent" to our operations, so the block sharing can still be used even in this double-encryption setup.
David Domask | Product Management: Principal Analyst
Lewpy
Enthusiast
Posts: 80
Liked: 17 times
Joined: Nov 27, 2012 1:00 pm
Full Name: Lewis Berrie
Location: Southern England
Contact:

Re: SOBR with S3 Object Capacity Tier Encryption Question

Post by Lewpy »

Hi David,

Thanks for replying with all the information, and for pointing out it is actually documented [oops!] :oops:

Lewis.
david.domask
Veeam Software
Posts: 1865
Liked: 450 times
Joined: Jun 28, 2016 12:12 pm
Contact:

Re: SOBR with S3 Object Capacity Tier Encryption Question

Post by david.domask »

Glad I could help! And no worries, it's old joke about reading the friendly manual, but it's a pretty big manual so second set of eyes doesn't hurt ;) Don't forget about the AI Assistant though, as it's literally built to help find those questions, but of course forums are also great way for such help :)

Always welcome and good luck!
David Domask | Product Management: Principal Analyst
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 14 guests