Encryption Standard

[richie94127]

Hello,
I'm exploring using Veeam Agent for Windows and Veeam B&R for Windows Server for our company. I can't find what type of encryption Veeam Agent for Windows and B&R for Windows Server use. I've done Google searches, support forum searches and read the user guides for the information. The user guides only mention specifically that VMware VSphere and Microsoft Hyper-V use AES256 encryption under the Encryption Standard articles. If they specify the encryption standards for those types of backups, I wonder if the encryption standards for the Agent and B&R for Windows Server are different. Why is there no mention of the encryption standards in the respective user guides. It would be nice not to assume that it carries the same type over and it is stated in some official article, release note, etc, that the encryption standard is for these other backups are AES256 as well; i.e. CYA.
Thanks in advance.

[Gostev]

Hello! All of our image-level backup products share the single engine and backup format, so all low-level stuff is the same. Thanks!

[richie94127]

It is possible to update this article, "https://helpcenter.veeam.com/docs/backu ... ml?ver=100", and other articles to state that it uses the same engine encryption engine with AES256? It's interesting that the article mentions the data is just encrypted at the source without the mention of encryption strength. However, the same article mentions that you are allowed to encrypt during transport at AES 256. In other words, why mention AES256 for transport but not actual source-side encryption?

As of 1/31/2020, the article states:
"Veeam Backup & Replication uses the block cypher encryption algorithm. Encryption works at the source side. Veeam Backup & Replication reads VM or file data, encodes data blocks, transfers them to the target side in the encrypted format and stores the data to a file on the backup repository or archives the data to tape. Data decryption is also performed on the source side: Veeam Backup & Replication transfers encrypted data back to the source side and decrypts it there."
And:
"Beside the job-level encryption, Veeam Backup & Replication allows you to encrypt network traffic going between the primary site and the disaster recovery site. Network traffic encryption is configured as part of global network traffic rules that are set for backup infrastructure components. For network traffic encryption, Veeam Backup & Replication uses the 256-bit Advanced Encryption Standard (AES)."

In addition, it seems like it is a configuration setting that can be adjusted or turned off when it states "allows you" and that the rules are configured.

I know I'm splitting hairs but it seems like this article and others can be updated easily to reflect the information more clearly.

[richie94127]

In addition, I don't see any mention on the website. I would think it would be sales point, as to the level of encryption and state it clearly that Veeam uses some sort of military grade encryption standard.

I did find on the comparison chart, "https://www.veeam.com/products-edition-comparison.html", that End to End encryption of Community and Standard Editions of B&R is "Partial". What does that mean?

[Dima P.]

Hello Richard,

It is possible to update this article

It's mentioned under Encryption Standards chapter.

In other words, why mention AES256 for transport but not actual source-side encryption?

The detailed explanation on how encryption can be applied to the backup jobs is here Encrypted Objects.

In addition, it seems like it is a configuration setting that can be adjusted or turned off when it states "allows you" and that the rules are configured.

Correct. For the backup jobs you are the one to decide if backup encryption should be configured or not. Network traffic encryption is optional as well and can be configured via network settings.

End to End encryption of Community and Standard Editions of B&R is "Partial". What does that mean?

All editions include at-source (during backup), in-flight (network traffic) and at-rest (tape) encryption. Enterprise and Enterprise Plus editions also include lost password protection. To learn more about Enterprise Manager's password loss protection, kindly, check this article Managing Encryption Keys. Hope it helps!