Veeam Encryption versus Proliant Encryption

[gingerdazza]

Hi.
I need to encrypt backups, and I'm trying to decide whether encryption would be best served within Veeam jobs, or at the local storage level on the HP Proliant kit. I recognise that the Veeam encryption will have a higher impact on CPU, and that the storage level benefits from ensuring that any files on the storage are encrypted, but would be grateful for any opinion or insight into what's best here?

[Mildur]

Hi

Protection on storage level helps you to protect your data if hardware would be stolen. But it will not protect the data if the veeam backup files will be copied directly from the backup repo over the network or directly on the server per usb stick.

Veeam Encryption helps you to protect the data inside the veeam backup files. So if a intruder gets access to the backup files (network or physically), he can‘t read the backup files without the decryption password. The only exception, if he has access to the veeam backup server, backup files can be opened. But that‘s also possible with storage encryption.

Veeam Encryption should be used, if you want to have most of encrypted backup files. It‘s worth the cost of additional cpu resource. Should‘t be that much impact with modern cpus.

If you want to know more about why you need to protect the backup files with veeam encryption, I can recommend to watch Michaels and Ricks Tech Bites session from last week:

https://youtu.be/rXbIhshneB0

[gingerdazza]

...thanks. Is there a way, perhaps policy, to enforce encryption on all Veeam activities?

[Mildur]

Your welcome.

I don‘t know such a policy or registry key. In my opinion, it‘s better to choose enabling encryption by yourself.

Make sure, that you encrypt all backup and backup copy jobs. If you activate encryption on existing jobs, be aware that you need to run an active full backup before veeam starts to encrypt the backup files.

And if you want to have data transport encryption between the veeam components inside your subnets, you must enable it in the global network traffic rules. It is only enabled for connections to public networks by default.

[gingerdazza]

Thanks, yes aware of the active full situation, and encryption-in-transit options.

At the absolute least I would have expected a Veeam ONE report that would alert you to unencrypted files/jobs. You need some way operationally keep tabs on such an important setting without looking at the individual properties of each and every job regularly.

[Mildur]

You can use Veeam One Report Job Configuration Dump to get a list of all backup jobs to have an overview about the encryption settings.

And for changes on existing job, use the Job Configuration Change Tracking Report.

There is a open FR in the forum about having alarms for the encryption settings in a backup job.

[gingerdazza]

...I dare say it's belt and braces if we actually implement BOTH Veeam and storage based encryption, right?

[rennerstefan]

That is correct. As commented above there is two different reasons. One is more to protect is physically from the server/disks being stolen.
The other is for the data being copied.
I honestly see more customers that care about the backup files and enable it in Veeam than on the hardware side as, if you have physical restrictions on who can access and go to the room where server/storage are places, it is very unlikely that someone will steel the hardware it self. And even then, as long as the VBR server is not on that same box, they won't be able to read the Veeam backup files if the are encrypted.

So long story short, enable Veeam encryption and optional the hardware one if you need additional protection.
But keep on mind that both encryptions always consume performance and you should make sure you remember how you did it and where in case you want to change it later.

Thanks