Re: Limitation: Veeam encryption on AWS restores not supported

[briancanfixit]

We were in the process of validating our encryption controls and Disaster Scenario functionally, when we discovered that Veeam does NOT support encryption for recovery to AWS EC2 instances when the backup is from on-prem VMs.

We have confirmed with Veeam support and the Veeam engineering teams, that Veeam B&R requires you to restore the data to an unencrypted volume:

Unfortunately, restore to an encrypted AWS EC2 instance is not supported and that is due to a limitation that AWS have which does not allow to import encrypted volumes to a VM, listed in the link below as the third limitation.
https://docs.aws.amazon.com/vm-import/l ... rting.html

This issue is caused because of a workflow choice that Veeam uses for restoring the data. We proved that we can MANUALLY restore the disks to a separate system, and then, outside of Veeam, import the VM and maintain our data encryption. So we have proved that the issue is not with AWS, but is isolated to Veeam's restore workflows.

It is our understanding that the current Veeam process which does NOT support data encryption works as follows:
1) Veeam creates the a helper appliance
2) Attaches an EBS volume to the helper appliance
3) Veeam reads backup data from the backup repository and writes it to the EBS volume (Copy #1)
4) Veeam takes a snapshot of the AWS EBS Volume (Copy #2)
5) Veeam imports the EBS volume into an AMI, veeam uses the AWS import-image command, which does not support a source encrypted volume (Copy #3)
6) Veeam launches the AWS EC2 instance from the image (Copy #4)

We have created a Veeam support case ID# 07704706, but they cannot modify the code to find a workable solution.

[briancanfixit]

I think the path forward can be achieved with one of the following workflows right?

VMDK method:
1) Veeam restores the vmdk images to an S3 volume (Copy #1)
2) Veeam creates the disk containers.json
3) Veeam calls the aws import-image command, which DOES support encryption per example #3 https://docs.aws.amazon.com/vm-import/l ... image.html (Copy #2)
4) Veeam launches the AWS EC2 instance from the image (Copy #3)

OVA Method:
1) Veeam creates the helper appliance
2) Attaches an S3/EBS volume to the helper appliance as a staging area to save VMDK files (encrypted)
3) Veeam Helper Appliance reads backup data from the backup repository and writes the VMDK files (Copy #1)
4) Veeam Helper Appliance converts the VMDKs to an OVF/OVA (ovftool or similar) (Copy #2)
5) Veeam Helper Appliance imports the VM using the import-image AWS command (Copy #3)
6) Veeam launches the AWS EC2 instance from the image (Copy #4)

[veremin]

You are correct, in order to create a target EC2 instance for a machine originating from non-cloud machines, we import the machine using an EBS volume snapshot. Currently, import from encrypted volume snapshots is not supported by AWS, resulting in the process failing with the error "Importing VM Error: Failed to import machine to Amazon EC2: Using an encrypted snapshot as input is not supported."

We have not planned to change our approach to restoring machines in AWS EC2 at the moment, but we will keep your request in mind for future versions of our product.

Thanks!