Encrypted Offsite Backup Files

[murdocmk]

"Storing the backup files on an encrypted volume is not enough. If the server OS is compromised then the encrypted volume is also - giving them direct access to the vbk's which can be imported without any form of password protection."

I agree with this, in terms of encrypting the volume not being "enough" .. but what can any backup software do to really be "enough"? Even if the backup data was encrypted the backup software still needs to be able to access that data. So wouldn't compromising the backup server also gain someone access to that data, even if the backup files themselves were encrypted? So in that regard I'm not sure encrypted backups are much different than an encrypted volume. Certainly in other ways there are differences ... encrypted backup files are safer to move around, for example.

It's just that at-rest encryption is not really a protection against active (live server) attacks, which is the scenario you describe. Other security controls should be in place to reduce those risks. I think that an encrypted volume answers the "at-rest" encryption problem in a relatively equivalent way to encrypted backup files. Either situation really just protects you from someone walking away with your disk drives. Neither situation really protects you from someone compromising live servers. What am I overlooking?

[alex76576575]

Lets suppose we replicate vbk files to various destinations - 3rd party cloud storage, intra-company remote storage, a USB hdd attached directly to a NAS device.

1) When backing up to a 3rd party cloud storage we cannot guarantee that some employee within that 3rd party company would not access our unencrypted vbk file.

2) An intra-company remote storage is controlled by us and is fully trusted, so we do not need to encrypt a vbk file

3) When backing up to a USB hdd we can easily encrypt the USB storage by means of a NAS device.
However in an event of a disaster (ie Fire) the NAS device may physically break and we will be stuck with an unreadable USB hdd, until a new NAS device, of similar maker, is ordered and arrived. Hence we have no choice, but to get rid of the weakest link and to copy unecrypted vbk onto the USB, so it can be read by any PC. Also increasing the risk of information leak if hdd is lost or stolen.

Also, as was already mentioned some compliance standards require that backup file is encrypted.

In total, vbk encryption is a much needed feature and it would remove a lot of administrative overhead, as well as allow Veeam to become a product of choice for companies that have to follow certain compiance requirements.

[cparker4486]

In total, vbk encryption is a much needed feature and it would remove a lot of administrative overhead, as well as allow Veeam to become a product of choice for companies that have to follow certain compiance requirements.

+1

[cinek]

is it possible to encrypt backups with veeam backup & replication? If not, are there any other options?

[bbowers]

In the recent forum blast they mentioned some cases in which TrueCrypt was causing backup file corruption. Every backup product I've ever used has had this functionality built-in. It would be nice to have the ability to encrypt the backups with a key/passphrase. Is this something in the works at some point?

It seems that many people are also forced to put together scripts and stuff to rotate to external drives. Veeam is a great backup product, but why can't I easily duplicate to external drives or tapes and encrypt yet?

[pendragoncrw]

+1 for the feature request. It is the only thing forcing us to use third-party tools for part of our backup life-cycle.

Chris

[stljack]

+1 for this feature request! Encrypted backups can be a requirement, and definately should be on the Veeam roadmap.

[cparker4486]

Hello,

My plan is to use 7-Zip's command line utility (7za.exe) to encrypt my VBK files with -mx0 (no compression). After encrypting the files I will send them to long-term storage (tape and Amazon Glacier to be specific). I think 7-Zip is about as simple as it gets.

By the way, this is mostly just an exploratory thing for me: find out how others do it. But I'd also be interested in hearing if the performance of your current system played a part in choosing it.

[dellock6]

I'm starting some tests with CloudBerry Explorer, it supports both Amazon S3 and Glacier (and other cloud storage too), and it can directly encrypt files while sending them, so all could be automated in one single process. Stay tuned

Luca.

[itdirector]

Luca, any update on your testing? I am looking an app like cloudberry to copy our VBR backups stored at our DR site to Amazon Glacier.
We have about 10TB of initial data, & I was planning on copying our monthly backups to Amazon, monthly.

[andersonts]

At the risk of sounding like a salesperson You might want to check out the new Veeam Cloud Edition as it supports this as well. You can upgrade/convert existing Veeam licensing. You can contact your preferred Veeam partner or find more information here: http://www.veeam.com/videos/veeam-backu ... -1990.html

Of course you will want to use whatever technology works the best for your needs!

[dellock6]

No, any update on it, too much "real" work in these weeks to have spare time for testing and blogging. Also, cloudberry is the software used to create Veeam Cloud Edition (looking at the screenshots and also to the binaries you can tell it) so I think every test with both software would give same results. Anyway, the draft post is istill there, I'll complete it one day...

Luca.

[KiwiJJ]

We backup to a removable USB drive that has a key inserted in the drive that provides hardware encrytption. Without this key the drive is unreadable. This is using the Addonics Saturn drive

[Martijn]

We write the .vbk file to tape weekly via Backup Exec. It encrypts the contents of the tape using the hardware encryption support on our tape drive.

[sdelacruz]

@Martijn
Do you only backup the vbk file? Have you tried doing a restore of from tape to disk then back to veeam?
I am having problems opening that vbk file on veeam onces restored back to disk.

[foggy]

Sam, what kind of problems do you have? Do you get any particular error while importing the VBK file into Veeam B&R console?

[Starman]

We are dealing with more and more clients who are asking the question "are your backups encrypted". I can see a valid and simple to implement this in Veeam as simple as setting a backup job up with a password needed to restore. Any chance at this?

[Vitaliy S.]

Hello Todd, for more info on the chances, please take a look at the existing discussion of this feature request.

[rsavo]

Dear All,

Is there any update on this with version 7 ?

My apologies if this is documented somewhere, I could not find a precise info about this

tx

[foggy]

No changes regarding that in v7.

[natrimac]

Any news on this. Looks like you guys have been kicking the can down the road on this for 4 versions now. We are PCI regulated business and are asking this question all the time by our clients and auditors. They aren't requiring it now, but they will be soon. Cmon guys this shouldn't be that hard to add.

[Gostev]

No news since the previous reply 3 weeks ago... we move fast, but not that fast

Currently, we only provide backup encryption in the Cloud Edition of our product (essentially, you can apply encryption to backups that are copied by Veeam Cloud Backup on-site or to the cloud). We are also working on integrating encryption right into the backup jobs.

[Fiskepudding]

Encryption directly in to the backup job would be very nice!

That’s the ONLY thing I miss from Acronis. You could set it directly on the job.

START
Probably the only thing that actually worked properly with their product
END

[Gostev]

It's hard to implement most basic encryption (like one found in competitive solutions) incorrectly, and it can probably be done in 1-2 weeks by a single developer. However, this kind of encryption may do more bad, than good eventually (may be a good topic for my next TechEd/VMworld session btw). We did not want to deliver this kind of implementation, we took our time and waited until we have resources to do it "right".

Sure, it all comes down to the same "checkbox" in the marketing document, but we always go beyond checkboxes and are thinking about addressing all the actual use cases around the functionality we are adding.

[larry]

What I have done with removable disks, usb sticks and internal drives is to use true crypt to mount the encrypted drive. It does require the admin to enter passwords each time the server is rebooted. ( You can auto-mount but…) When the drive is removed it is encrypted and can’t be accessed. I work for a bank and am required to have removable backups encrypted by policy. You can encrypt the whole drive or create a folder and mount as a drive. Veeam just uses as a drive. Just tested with my Veeam 7 and all worked as before. Regardless of if the device has its own encryption I encrypt the Veeam data, this way only a Veeam admin can access and no other admin’s. I have not tried some of the new Veeam tools for removable but don’t see any reason they would not work 100 percent. The speed going to a true crypt drives seems as fast as a normal drive (using same hardware) . I ran some tests and see no different in the time jobs run. Local disks on a backup copy job runs about 150 MB/s. I could easily change all backups to be encrypted by creating the repository as a true crypt location.

Steps 1 Create true crypt volume ( I use mostly encrypted file container )
Step 2 Select and mount file container assigning it a drive letter
Step 3 Use drive letter in veeam as normal. I have test as making it a Backup Repository. Then when I select Encrypted-DR-SiteA as my repository I know it it going to an encrypted spot. If a non veeam admin was to take the disk they cannot read any data as it is all encrypted.

Hope this solves your issue.

[Fiskepudding]

Larry, we also use TrueCrypt on the disks we take offsite.
We Encrypt the disk, copy off the latest full backup to this disk, and yes, it works.
Regardless, I would say it is more convenient to encrypt the archive, and not the entire disk.
And not relay on a third party tool to read the backup file in case you need it down the line.

Don’t get me wrong, TrueCrypt is a great product, to encrypt an entire disk/system or just "General purpose".
But for encrypting a few backup files, I don’t feel it is optimal. So we still hope for some encryption options directly in Veeam

[larry]

We mount the encrypted disk and let the daily backups go to it. So besides the monthly reboot which is when we need to remount the volumes it just works.

If Veeam does add encryption to the backups I need the encryption to be a standard that I can choose. With out using (AES256) or someother standard I would need to prove it is safe. This is why I still use backupexec to send to tape, I need an accepted encryption.

[Fiskepudding]

If they do it "right", like Anton says, I am sure you can will find an acceptable standard in the options.. if not I too would be disappointed.

[natrimac]

So the lingering issue is for those of us who D2D2D backups and don't backup to removable storage what's the option other than tru crypt or some other FDE path?

[Fiskepudding]

As of now, you dont have any other options then what you suggest yourself, TrueCrypt or some other FDE solution.