-
- Veteran
- Posts: 323
- Liked: 25 times
- Joined: Jan 02, 2014 4:45 pm
- Contact:
Difference between backup job level encryption & SOBR Capacity Tier encryption
When enabling the capacity tier in SOBR, you have the option of enabling encryption. According to the help file, "With this option selected, the entire collection of blocks along with the metadata will be encrypted while being offloaded"
When creating a backup job, you also have the option of enabling encryption. According to the help file, "Veeam encrypts data blocks on the backup proxy...and transfers them to the backup repository already encrypted...encrypted data blocks are stored to a resulting backup file"
A few questions:
1. For a backup job writing to a SOBR capacity tier, will enabling encryption at both layers mean that there are two layers of encryption? It seems that in both cases, the encryption is at rest and in transit.
2. If backs will be encrypted at two layers, any issues with using separate encryption keys?
3. Will encryption at either layer or both layers impact deduplication either locally or in S3 storage? Or performance with uploads/downloads from S3 storage?
4. And lastly, if the S3 storage provider offers encryption using custom keys, any issues enabling that option as well to have another layer of encryption? This would be encryption at rest only.
When creating a backup job, you also have the option of enabling encryption. According to the help file, "Veeam encrypts data blocks on the backup proxy...and transfers them to the backup repository already encrypted...encrypted data blocks are stored to a resulting backup file"
A few questions:
1. For a backup job writing to a SOBR capacity tier, will enabling encryption at both layers mean that there are two layers of encryption? It seems that in both cases, the encryption is at rest and in transit.
2. If backs will be encrypted at two layers, any issues with using separate encryption keys?
3. Will encryption at either layer or both layers impact deduplication either locally or in S3 storage? Or performance with uploads/downloads from S3 storage?
4. And lastly, if the S3 storage provider offers encryption using custom keys, any issues enabling that option as well to have another layer of encryption? This would be encryption at rest only.
-
- Chief Product Officer
- Posts: 31780
- Liked: 7280 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Difference between backup job level encryption & SOBR Capacity Tier encryption
This option is provided for when you're using deduplicating storage appliance, and thus your local backups must be unencrypted. If you have regular local storage, you can enable both - however, there's no point in doing that (no added protection due to the same encryption algorithm, waste of compute resources, plus additional data transformations don't add to reliability). Same with additional S3-side encryption: added data corruption risk with no tangible benefits.
So, just pick one place to do encryption at - preferably in Veeam, so that we're able to support you in case of issues.
So, just pick one place to do encryption at - preferably in Veeam, so that we're able to support you in case of issues.
-
- Veteran
- Posts: 323
- Liked: 25 times
- Joined: Jan 02, 2014 4:45 pm
- Contact:
Re: Difference between backup job level encryption & SOBR Capacity Tier encryption
Thank you Gostev.
In regards to enabling S3 side encryption, Azure Blob encrypts data at rest by default. However, if we wish to have a second layer of encryption in case the Veeam side (per job only) one is disabled by mistake, would that work? The objective is to ensure we remain compliant with requirements.
In regards to enabling S3 side encryption, Azure Blob encrypts data at rest by default. However, if we wish to have a second layer of encryption in case the Veeam side (per job only) one is disabled by mistake, would that work? The objective is to ensure we remain compliant with requirements.
-
- Chief Product Officer
- Posts: 31780
- Liked: 7280 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
-
- Expert
- Posts: 119
- Liked: 12 times
- Joined: Nov 04, 2011 8:21 pm
- Full Name: Corey
- Contact:
Re: Difference between backup job level encryption & SOBR Capacity Tier encryption
Reading this thread it sounds like it's acceptable to have unencrypted local backups and then enable encryption on capacity tier of SOBR. I configured my setup like that, and there's no indication whether or not the capacity tier is encrypted.
As a comparison my backup copy jobs to a cloud service provider (iLand) show "backup file will be encrypted" in the backup task. And the backup file in the veeam console, shows a little lock icon. I don't see either of those on my sobr offload job or sobr backup (within the veeam console). Is there a way to confirm it actually is encrypted?
Thanks!
As a comparison my backup copy jobs to a cloud service provider (iLand) show "backup file will be encrypted" in the backup task. And the backup file in the veeam console, shows a little lock icon. I don't see either of those on my sobr offload job or sobr backup (within the veeam console). Is there a way to confirm it actually is encrypted?
Thanks!
-
- Chief Product Officer
- Posts: 31780
- Liked: 7280 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Difference between backup job level encryption & SOBR Capacity Tier encryption
So what is encrypted in this case are data objects which are offloaded to object storage, and not the actual backup file. The stub file in the Performance Tier remains unencrypted, thus the "encrypted" state does not propagate to the backup file settings.
If encryption is enabled in the Capacity Tier setting, then offloaded data is encrypted. You could always try importing backups from object storage with another Veeam install, and you will be asked for password.
If encryption is enabled in the Capacity Tier setting, then offloaded data is encrypted. You could always try importing backups from object storage with another Veeam install, and you will be asked for password.
-
- Expert
- Posts: 119
- Liked: 12 times
- Joined: Nov 04, 2011 8:21 pm
- Full Name: Corey
- Contact:
Re: Difference between backup job level encryption & SOBR Capacity Tier encryption
Thanks for confirming! As a long time veeam user I know some things (block size, re-fs, etc) didn't happen until a full backup (although I guess this is like a full to the capacity tier). I just wanted to confirm it was definitely encrypted since I didn't see it in the UI.
I think it might be a good idea to have confirmation in the UI in a future release.
I always appreciate the quick thoughtful responses gostev!
I think it might be a good idea to have confirmation in the UI in a future release.
I always appreciate the quick thoughtful responses gostev!
Who is online
Users browsing this forum: No registered users and 9 guests