Hi currently I backup directely to Wasabi from my VBR server. Is it good practice to encrypt this backups ?
(These are immutable backups) Any performance issue when doing this ? Please provide any useful information
-
TDG
- Enthusiast
- Posts: 57
- Liked: 9 times
- Joined: Jun 01, 2023 11:28 am
- Contact:
-
TDG
- Enthusiast
- Posts: 57
- Liked: 9 times
- Joined: Jun 01, 2023 11:28 am
- Contact:
Re: Encrypting backups on Wasabi
A quick search says Wasabi encrypt all data so do we need to encrypt on the client side ?
Encryption Options in Veeam for Wasabi:
Client-Side Encryption (Veeam's Encryption):
• Veeam can encrypt data before sending it to Wasabi, offering an extra layer of security.
• This is configured within the backup job settings, where you can choose to encrypt the backups and specify a password or KMS server.
• When using a password, Veeam generates a secret key to encrypt the data encryption keys.
• When using a KMS server, Veeam obtains an asymmetric KMS key.
• The encrypted data is then sent to the Wasabi repository.
Server-Side Encryption (Wasabi's Encryption):
• Wasabi encrypts all data stored on its platform using AES 256-bit encryption by default.
• This encryption is applied automatically to each storage object.
• The encryption keys are securely managed by Wasabi and used for decryption when the data is accessed.
• You can also use Server-Side Encryption with Customer-provided keys (SSE-C) for more control over the encryption keys, but you are responsible for managing these keys.
Encryption Options in Veeam for Wasabi:
Client-Side Encryption (Veeam's Encryption):
• Veeam can encrypt data before sending it to Wasabi, offering an extra layer of security.
• This is configured within the backup job settings, where you can choose to encrypt the backups and specify a password or KMS server.
• When using a password, Veeam generates a secret key to encrypt the data encryption keys.
• When using a KMS server, Veeam obtains an asymmetric KMS key.
• The encrypted data is then sent to the Wasabi repository.
Server-Side Encryption (Wasabi's Encryption):
• Wasabi encrypts all data stored on its platform using AES 256-bit encryption by default.
• This encryption is applied automatically to each storage object.
• The encryption keys are securely managed by Wasabi and used for decryption when the data is accessed.
• You can also use Server-Side Encryption with Customer-provided keys (SSE-C) for more control over the encryption keys, but you are responsible for managing these keys.
-
tyler.jurgens
- Veeam Software
- Posts: 430
- Liked: 256 times
- Joined: Apr 11, 2023 1:18 pm
- Full Name: Tyler Jurgens
- Contact:
Re: Encrypting backups on Wasabi
Back when I worked for service providers, I'd always recommend the customer encrypt their own backups, even if we had the capability to do so. When you encrypt your backups the encryption is in your control. When another entity (Wasabi, etc) encrypts your backups you're trusting them to do that for you.
Additionally, if someone gets access to your Wasabi account somehow, they could gain access to your backups by connecting another VBR server to that bucket. If you control your own keys they would have to not only gain access to that bucket, but also the encryption key you used.
Control your own destiny is my advice.
Additionally, if someone gets access to your Wasabi account somehow, they could gain access to your backups by connecting another VBR server to that bucket. If you control your own keys they would have to not only gain access to that bucket, but also the encryption key you used.
Control your own destiny is my advice.
Tyler Jurgens
Blog: https://explosive.cloud
Twitter: @Tyler_Jurgens BlueSky: @explosive.cloud
Blog: https://explosive.cloud
Twitter: @Tyler_Jurgens BlueSky: @explosive.cloud
Who is online
Users browsing this forum: No registered users and 13 guests