Enable backup file encryption and data upload to object storage

[sandroalves]

Hi,

We are evaluating the storage security of our backups and have verified that we can encrypt these backups.

There are two options (Enable backup file encryption) to encrypt data locally and (Encrypt data upload to object storage) to encrypt data uploaded to Azure.

Doubts:

1 - If I lose the veeam server, will I be able to restore the backups on a new server that were protected with encryption? Or will I need to restore the Veeam Backup server (settings/database) to restore my backups?

1 - When I send the data to Azure so that when the data is stored in Azure they will be saved with ( backup file encryption) because on-premises was enabled.

2 - If the data is already encrypted, why do I need to use the option (Encrypt data upload to objetct storage)? Or I don't need to encrypt the backup in place and I can just use the ((Encrypt data upload to objetct storage) option.

Thanks.

[Gostev]

Hi,
1 - You can import backups into a brand new Veeam server.
1 - That is correct.
2 - You don't need to use the option in this case. Double encryption rarely makes sense.
Thanks!

[sandroalves]

Hi,

Regarding the import the last time I lost the veeam server, I just imported the repository using the location where the backup was made and scanned it, all right. I installed the new veeam backup!

I've used other solutions that these keys were inside the backup server's database, that is, I could only restore the encrypted backup if I had the same database as the backup tool where it was configured.

Now enabling encryption in veeam I was worried! I wonder how this whole procedure will happen if it happens again.

Our concern initially was to protect the data that is sent to Azure, that is, if I use (Encrypt data upload to objetct storage) it encrypts the data transit, but will it be stored without encryption?

If I need to restore from azure blob will it ask for this key?

As you said, using both options doesn't make sense so I'm in doubt: If I need to worry about data security during transmission, then I would just use upload encryption.

Now if I can encrypt the data on the spot without having any dependency on the current veeam server in case of a restore, I will already send the encrypted data so I don't need another one to send.

In what situation does the person only use encryption for upload?

Thanks.

[Gostev]

Yes, of course you will need to provide the password before you can restore from imported encrypted backups.

An example of such situation is when you're backing up to a deduplicating storage and thus cannot use backup encryption without ruining your dedupe ratio. In this case you will have unencrypted backups on-prem, and as such you will want to use encryption for upload.

[sandroalves]

Hi,

when using encryption do i have any penalty?

Any loss of dedup, disk space or other situation?

Or the only care is to have the password to decrypt...

Thanks.

[veremin]

Enabling encryption should not lead to any negative consequences from Veeam perspective. Thanks!

[Gostev]

Encryption used to come with a performance penalty, but nowadays this consideration is largely irrelevant because all modern processors support AES encryption in hardware.

The only considerations are:
1. Guaranteed major impact on 3rd party data reduction technologies involved in storing or transferring backup files.
2. Restores are made harder in a DR event as you'll be required to supply the encryption password.
3. The encryption password can be forgotten, which happens way too often unfortunately. In this case you're basically done (unless you had password loss protection in Veeam).

Please note that for backup encryption we recommend using a complex password of 12 or more symbols. This is because stolen backups can be brute forced as fast as your hardware allows, as there's no "lock out" after a few incorrect tries.

[sandroalves]

Hi,

thanks for the answers.

I don't understand when it says "veeam password loss protection?"

I also don't understand why the backup in object storage doesn't show the key saying it's protected with encryption.

Does it only appear when I enable local disk encryption?



Thanks.

[Gostev]

Hi,

Regarding password loss protection, please refer to the User Guide as there's a lot to uncover for a forum post.

Yes, it looks like the key only appears for backup job level encryption, but not for repository level encryption.

Thanks!