Using object storage as a backup target
Post Reply
wa15
Expert
Posts: 319
Liked: 24 times
Joined: Jan 02, 2014 4:45 pm
Contact:

Difference between backup job level encryption & SOBR Capacity Tier encryption

Post by wa15 »

When enabling the capacity tier in SOBR, you have the option of enabling encryption. According to the help file, "With this option selected, the entire collection of blocks along with the metadata will be encrypted while being offloaded"

When creating a backup job, you also have the option of enabling encryption. According to the help file, "Veeam encrypts data blocks on the backup proxy...and transfers them to the backup repository already encrypted...encrypted data blocks are stored to a resulting backup file"

A few questions:

1. For a backup job writing to a SOBR capacity tier, will enabling encryption at both layers mean that there are two layers of encryption? It seems that in both cases, the encryption is at rest and in transit.

2. If backs will be encrypted at two layers, any issues with using separate encryption keys?

3. Will encryption at either layer or both layers impact deduplication either locally or in S3 storage? Or performance with uploads/downloads from S3 storage?

4. And lastly, if the S3 storage provider offers encryption using custom keys, any issues enabling that option as well to have another layer of encryption? This would be encryption at rest only.

Gostev
SVP, Product Management
Posts: 29502
Liked: 5595 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Difference between backup job level encryption & SOBR Capacity Tier encryption

Post by Gostev »

This option is provided for when you're using deduplicating storage appliance, and thus your local backups must be unencrypted. If you have regular local storage, you can enable both - however, there's no point in doing that (no added protection due to the same encryption algorithm, waste of compute resources, plus additional data transformations don't add to reliability). Same with additional S3-side encryption: added data corruption risk with no tangible benefits.

So, just pick one place to do encryption at - preferably in Veeam, so that we're able to support you in case of issues.

wa15
Expert
Posts: 319
Liked: 24 times
Joined: Jan 02, 2014 4:45 pm
Contact:

Re: Difference between backup job level encryption & SOBR Capacity Tier encryption

Post by wa15 »

Thank you Gostev.

In regards to enabling S3 side encryption, Azure Blob encrypts data at rest by default. However, if we wish to have a second layer of encryption in case the Veeam side (per job only) one is disabled by mistake, would that work? The objective is to ensure we remain compliant with requirements.

Gostev
SVP, Product Management
Posts: 29502
Liked: 5595 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Difference between backup job level encryption & SOBR Capacity Tier encryption

Post by Gostev » 1 person likes this post

Sure thing!

deduplicat3d
Expert
Posts: 113
Liked: 12 times
Joined: Nov 04, 2011 8:21 pm
Full Name: Corey
Contact:

Re: Difference between backup job level encryption & SOBR Capacity Tier encryption

Post by deduplicat3d »

Reading this thread it sounds like it's acceptable to have unencrypted local backups and then enable encryption on capacity tier of SOBR. I configured my setup like that, and there's no indication whether or not the capacity tier is encrypted.

As a comparison my backup copy jobs to a cloud service provider (iLand) show "backup file will be encrypted" in the backup task. And the backup file in the veeam console, shows a little lock icon. I don't see either of those on my sobr offload job or sobr backup (within the veeam console). Is there a way to confirm it actually is encrypted?

Thanks!

Gostev
SVP, Product Management
Posts: 29502
Liked: 5595 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Difference between backup job level encryption & SOBR Capacity Tier encryption

Post by Gostev »

So what is encrypted in this case are data objects which are offloaded to object storage, and not the actual backup file. The stub file in the Performance Tier remains unencrypted, thus the "encrypted" state does not propagate to the backup file settings.

If encryption is enabled in the Capacity Tier setting, then offloaded data is encrypted. You could always try importing backups from object storage with another Veeam install, and you will be asked for password.

deduplicat3d
Expert
Posts: 113
Liked: 12 times
Joined: Nov 04, 2011 8:21 pm
Full Name: Corey
Contact:

Re: Difference between backup job level encryption & SOBR Capacity Tier encryption

Post by deduplicat3d »

Thanks for confirming! As a long time veeam user I know some things (block size, re-fs, etc) didn't happen until a full backup (although I guess this is like a full to the capacity tier). I just wanted to confirm it was definitely encrypted since I didn't see it in the UI.

I think it might be a good idea to have confirmation in the UI in a future release.

I always appreciate the quick thoughtful responses gostev!

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests