Discussions specific to object storage
Post Reply
collinp
Expert
Posts: 137
Liked: 10 times
Joined: Feb 14, 2012 8:56 pm
Full Name: Collin P
Contact:

Traffic to S3 encrypted?

Post by collinp » Jan 25, 2019 5:59 pm

When data is offloaded to S3 in Update 4, is this data encrypted with TLS over the wire to S3? Does this solution support enabling encryption on the S3 bucket so data is encrypted at rest? Is backing up to S3 FIPS 140.2 validated?

v.Eremin
Product Manager
Posts: 15781
Liked: 1241 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Traffic to S3 encrypted?

Post by v.Eremin » Jan 25, 2019 6:08 pm

In Update 4, there's the predefined one that is called Internet, this one basically contains all IP addresses from outside of IPv4 private address space. By default, it has encryption enabled.

So, answering your question, yes, by default traffic going to S3 is encrypted, and you can enable backup encryption in the setting of Capacity Tier.

Thanks!

Gostev
SVP, Product Management
Posts: 23624
Liked: 3119 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Traffic to S3 encrypted?

Post by Gostev » Jan 26, 2019 11:26 pm

Veeam Backup & Replication uses FIPS-certified AES-256 CBC algorithm implementation from Microsoft CryptoAPI.

Yes, you can enable encryption at-rest on the S3 bucket itself if you like, this one is transparent for Veeam. However, this encryption type will not protect your data from the object storage provider itself, because encryption keys are stored with the service provider. So, anyone who your object storage provider may be forced to cooperate with, or their own malicious staff, or hackers within their network perimeter may all potentially get access to your unencrypted data (at least in theory).

This is why we provide an option to enable at-source encryption for data that is being offloaded to object storage. This ensures that all data leaving your network perimeter remains encrypted always, not just in-transit and at-rest. You can find this option on the Capacity Tier step of the scale-out backup repository wizard.

Thanks!

Post Reply

Who is online

Users browsing this forum: No registered users and 5 guests