Comprehensive data protection for all workloads
Post Reply
wa15
Veteran
Posts: 323
Liked: 25 times
Joined: Jan 02, 2014 4:45 pm
Contact:

Looking at implementing Veeam Encryption - Any gotchas?

Post by wa15 »

We are looking to enable encryption across the board for local backups and backup copies, which should also carry over to backups to tape. We have Enterprise+ & EM deployed and have enabled password loss protection. We have done some testing and it all seems very straight forward.

Anything else that we need to consider before enabling this? Any "gotchas" that others have encountered?

One question that I have: it is recommended to change the encryption password every so often. Since the new password will only be used on the new backups forward, how does one keep track of the password used for the older backups? Example, if we change the password every quarter, we somehow need to use our own tools to remember the password we used on a backup a year ago, in case we need to restore it?

Thanks in advance!
bdufour
Expert
Posts: 206
Liked: 41 times
Joined: Nov 01, 2017 8:52 pm
Full Name: blake dufour
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by bdufour »

We enabled encryption at rest and in transit (veeam network traffic encryption), been running that for a while. Easy to set up and it just works. Seems to work well too, actually didn’t see much of a performance difference.

Enterprise manager has a lost password protection feature as well. That should help with password maintenance, if an issue were ever to arise around unknown passwords, ect.
wa15
Veteran
Posts: 323
Liked: 25 times
Joined: Jan 02, 2014 4:45 pm
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by wa15 »

Thanks. Have you guys tried to change the encryption password every so often? If so, what was the behavior when you tried restoring a backup with the old password?
bdufour
Expert
Posts: 206
Liked: 41 times
Joined: Nov 01, 2017 8:52 pm
Full Name: blake dufour
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by bdufour »

Haven’t really had a need to change them - as no one who has access to backup infrastructure has left the company since implemented. we use different, very long and random, passwords per vm/backup, saved to it’s own encrypted password management database.
Gostev
Chief Product Officer
Posts: 31457
Liked: 6647 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by Gostev »

bdufour wrote: Jan 12, 2019 12:32 amSeems to work well too, actually didn’t see much of a performance difference.
This is because modern processors support hardware acceleration for the AES encryption algorithm that we're using.
bdufour
Expert
Posts: 206
Liked: 41 times
Joined: Nov 01, 2017 8:52 pm
Full Name: blake dufour
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by bdufour » 1 person likes this post

Gostev,

Good to know, as we all know - typically encryption will add noticeable overhead, we were concerned about this for our replication traffic over mpls to the dr site. We were quite impressed and happy to find we didn’t encounter this. I’ve encouraged many of my admin friends that run veeam (most are) to consider in transit encryption, as well as backup file encryption.
wa15
Veteran
Posts: 323
Liked: 25 times
Joined: Jan 02, 2014 4:45 pm
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by wa15 »

Thanks for the input everyone! One more question I hope to have some feedback on:

It's recommended to change the encryption password every so often. Since the new password will only be used on the new backups forward, how does one keep track of the password used for the older backups? Example, if we change the password every quarter, we somehow need to use our own tools to remember the password we used on a backup a year ago, in case we need to restore it?
Gostev
Chief Product Officer
Posts: 31457
Liked: 6647 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by Gostev »

Yes. However, keep in mind that Veeam will not ask you for a password if you're restoring from the same server that created the backup. It is only if you lost this server and/or are attempting to import [stolen] backup file into another server, when you need to provide the password.

You should also consider enabling password loss protection, see our User Guide (you can back those Enterprise Manager private keys up, if you decide to change them periodically as well).
wa15
Veteran
Posts: 323
Liked: 25 times
Joined: Jan 02, 2014 4:45 pm
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by wa15 »

Got it, thank you @Gostev as usual!
wa15
Veteran
Posts: 323
Liked: 25 times
Joined: Jan 02, 2014 4:45 pm
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by wa15 »

Sorry, one more question: does the Veeam B&R configuration backup also backup the key set generated on the Enterprise Manager? Or do those need to be backed up manually each time?
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by Mike Resseler »

Hi wa15,
The configuration backup does not hold that key set so you will need to export it manually. The process is described here: https://helpcenter.veeam.com/docs/backu ... tml?ver=95

Hope it helps
Mike
billcouper
Service Provider
Posts: 150
Liked: 30 times
Joined: Dec 18, 2017 8:58 am
Full Name: Bill Couper
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by billcouper »

What will happen to per-VM chains when encryption is enabled?
I am using ReFS extents, will the existing per-vm chains be maintained and block-cloning continue to work?
Gostev
Chief Product Officer
Posts: 31457
Liked: 6647 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by Gostev »

Encryption will not be enabled until the next full backup, which will create all new blocks with encrypted content - so you will see your disk space usage increase. From that point on, block cloning will be working again, now cloning those newly created encrypted blocks.
jim3cantos
Enthusiast
Posts: 59
Liked: 12 times
Joined: Jan 08, 2013 6:14 pm
Full Name: José Ignacio Martín Jiménez
Location: Madrid, Spain
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by jim3cantos »

Here also trying to implement encryption in our current configuration (9.5U4b). Up to now every path investigated seems to lead to a dead end when using the dummy job workaround if we want to keep backups encrypted at DR site too. So, as we also want to keep the posibility to run Datalabs at DR site, it seems to me that the only option is to "move" the backup server to DR site and "consolidate" with the one already there that currently is only responsible for replication from backup + surereplica (Datalab). Am I correct?
veremin
Product Manager
Posts: 20270
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by veremin »

Correct, in this case it's recommended to make one backup server responsible for both backup (replication) and SureBackup jobs. Thanks!
jim3cantos
Enthusiast
Posts: 59
Liked: 12 times
Joined: Jan 08, 2013 6:14 pm
Full Name: José Ignacio Martín Jiménez
Location: Madrid, Spain
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by jim3cantos »

jim3cantos wrote: Apr 29, 2020 11:30 am Here also trying to implement encryption in our current configuration (9.5U4b). Up to now every path investigated seems to lead to a dead end when using the dummy job workaround if we want to keep backups encrypted at DR site too. So, as we also want to keep the posibility to run Datalabs at DR site, it seems to me that the only option is to "move" the backup server to DR site and "consolidate" with the one already there that currently is only responsible for replication from backup + surereplica (Datalab). Am I correct?
It turns out that there is no incompatibility between the "dummy job" approach and encryption at DR site. You just specify once the encryption key for the "shared" repository and Veeam diligently stores it and doesn't ask for it anymore. So at the end may be the dummy (backup copy) job is going to outlive another Veeam release :)
Post Reply

Who is online

Users browsing this forum: david.domask, Google [Bot], srlarsen and 175 guests