Hello, I'm trying to figure out how Veeam B&R working with encrypted VMs. Just read the "Help Center", User Guide for VMware vSphere > Advanced VMware vSphere Features > Encrypted VMs.
There is 3 options to restore backup of encrypted VM:
- You can back up an encrypted VM and restore it as encrypted.
- You can back up an encrypted VM and restore is as unencrypted.
- You can back up an unencrypted VM and restore it as encrypted.
Is it all the options to restore?
Can I restore the "Guest Files", SQL objects e.t.c from encrypted vm backup?
What else constraints should i expect?
Thank you!
-
Tooshy
- Lurker
- Posts: 2
- Liked: never
- Joined: May 06, 2018 4:21 pm
- Full Name: Too shy
-
PTide
- Product Manager
- Posts: 6431
- Liked: 729 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: Encrypted VMs
Hi,
The restore process is transparent for Veeam, so granular restores (FLR, SQL objects) should be possible.
Thanks
The restore process is transparent for Veeam, so granular restores (FLR, SQL objects) should be possible.
Thanks
-
Andreas Neufert
- VP, Product Management
- Posts: 6747
- Liked: 1408 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: Encrypted VMs
VMware API for backup handover unencrypted data to us. So you can use our regular restore methodes as Pavel described above.
You can encrypt the backup data with Veeam as needed.
You can encrypt the backup data with Veeam as needed.
-
evo17paul
- Lurker
- Posts: 2
- Liked: never
- Joined: Aug 07, 2020 4:53 am
- Full Name: Paul Crisp
- Contact:
Re: Encrypted VMs
Andreas,
Can you explain this process further for me please?
I am assuming you mean, regardless of an encrypted VM we can continue to restore files using the Mount Server method?
What protections are in place to stop a malicious user/backup administrator gaining access to file based information? I realise a level of trust is required, but more interested in knowing the process for file level restores under an encrypted VM.
Can you explain this process further for me please?
I am assuming you mean, regardless of an encrypted VM we can continue to restore files using the Mount Server method?
What protections are in place to stop a malicious user/backup administrator gaining access to file based information? I realise a level of trust is required, but more interested in knowing the process for file level restores under an encrypted VM.
-
Andreas Neufert
- VP, Product Management
- Posts: 6747
- Liked: 1408 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: Encrypted VMs
It all depends on how the vendors implement backups of encrypted VMs. With Hyper-V the backup APIs will deliver the encrypted data to the backup application.
With VMware you will get unencrypted data if you want it or not, as the backup APIs sit above the encryption layer.
Regarding security. Think about this. You can snapshot a VM and mount the snapshot disks to another VM and then access the data from there. In VMwares case you have to trust the Virtualization Admins and you have to trust the backup admins. The only way arround it is to use software encryption within the VMs. We can usually restore there as well if the backup admin get access to the codes or authentication methods.
With VMware you will get unencrypted data if you want it or not, as the backup APIs sit above the encryption layer.
Regarding security. Think about this. You can snapshot a VM and mount the snapshot disks to another VM and then access the data from there. In VMwares case you have to trust the Virtualization Admins and you have to trust the backup admins. The only way arround it is to use software encryption within the VMs. We can usually restore there as well if the backup admin get access to the codes or authentication methods.
-
evo17paul
- Lurker
- Posts: 2
- Liked: never
- Joined: Aug 07, 2020 4:53 am
- Full Name: Paul Crisp
- Contact:
Re: Encrypted VMs
Thanks for the feedback Andreas, gives greater understanding overall appreciate the feedback
-
nokogerra
- Enthusiast
- Posts: 48
- Liked: 4 times
- Joined: Sep 09, 2015 3:12 am
- Full Name: Anatoliy Kopylov
- Contact:
[MERGED] Backup of encrypted VMs
Hello there.
I have a few questions about encryopted VM backup process and I can't find the answers in the documentation (or can't understand them).
At the moment I have vSphere 6.7u3 environment, but there are not so many differences with vSphere 7 in case of VM encryption (as far as I know). B&R 10a.
1. Why the Veeam virtual appliance (proxy) should be encrypted with the DEK, which is encrypted with the KEK from the same KMS? Ok, I can understand this requirement in case of hot-add. You cannot add encrypted VMDK to an unencrypted VM, so if you want yo use hot-add transport to backup encrypted VMs with encrypted disks, then you have to encrypt the hot-add proxy. But why should I encrypt the proxy in case of NBD transport? It should only pass the traffic from the vmk0 to the repo, am I wrong?
2. What happens with encrypted VMs during the backup process? They are not decrypted during the procedure, right? If so, then how is FLR works? Well, I can imagine the linux-guest FLR: the helper is deployed in the vSphere, the encrypted VMDK is mounted to the appliance from the backup, and ESXi, which runs the helper, just get the KEK with the corresponding ID through the vCenter. That's why the helper appliance can use the encrypted VMDK (this is my thoughts only). But how it works in case of Windows FLR? Can Veeam request the KEK with the correct ID through the vCenter? Same doubts about 1-click restore.
3. This is a rhetorical question, but: if VMs are not decrypted during the backup, then there is no need to encrypt the backup files additionally, right?
4. Does anyone have the experience about how backup performance degrades in case of encrypted VMs? I mean the average magnification of backup window (e.g. 10% or 50%). AES-NI is available of course.
Thanks in advance.
I have a few questions about encryopted VM backup process and I can't find the answers in the documentation (or can't understand them).
At the moment I have vSphere 6.7u3 environment, but there are not so many differences with vSphere 7 in case of VM encryption (as far as I know). B&R 10a.
1. Why the Veeam virtual appliance (proxy) should be encrypted with the DEK, which is encrypted with the KEK from the same KMS? Ok, I can understand this requirement in case of hot-add. You cannot add encrypted VMDK to an unencrypted VM, so if you want yo use hot-add transport to backup encrypted VMs with encrypted disks, then you have to encrypt the hot-add proxy. But why should I encrypt the proxy in case of NBD transport? It should only pass the traffic from the vmk0 to the repo, am I wrong?
2. What happens with encrypted VMs during the backup process? They are not decrypted during the procedure, right? If so, then how is FLR works? Well, I can imagine the linux-guest FLR: the helper is deployed in the vSphere, the encrypted VMDK is mounted to the appliance from the backup, and ESXi, which runs the helper, just get the KEK with the corresponding ID through the vCenter. That's why the helper appliance can use the encrypted VMDK (this is my thoughts only). But how it works in case of Windows FLR? Can Veeam request the KEK with the correct ID through the vCenter? Same doubts about 1-click restore.
3. This is a rhetorical question, but: if VMs are not decrypted during the backup, then there is no need to encrypt the backup files additionally, right?
4. Does anyone have the experience about how backup performance degrades in case of encrypted VMs? I mean the average magnification of backup window (e.g. 10% or 50%). AES-NI is available of course.
Thanks in advance.
-
nokogerra
- Enthusiast
- Posts: 48
- Liked: 4 times
- Joined: Sep 09, 2015 3:12 am
- Full Name: Anatoliy Kopylov
- Contact:
Re: Backup of encrypted VMs
Okay, it seems this thread gives me almost all answers I nedded vmware-vsphere-f24/encrypted-vms-t50763.html.
Who is online
Users browsing this forum: No registered users and 78 guests