I would like to backup whole Windows Server with VBR using Veeam Agent backup managed from that server (it is running at VMware VM but as I understand gifted VUL licences to socket based Veeam Essentials Enterprise Plus can be used only for Agent based backups, we do not have socket based licence to ESXi server at DR site, on which VM with VBR is running on). Backups should be encrypted. Target of that backup should be that backup proxy in primary, but I do not want to this proxy to see any data from that backup in unencrypted form, as my concern is that someone can hack our primary site then from that backup extract access data to VBR at DR site and delete our backups. I would like no access from primary to VBR allowed, only when initiated from VBR. I hope that when VBR initiates copy backup from that backup proxy at primary to offsite backup server at DR, that it does not open door for attacker to delete data at offsite copy backup server.
According to help (https://helpcenter.veeam.com/docs/backu ... ml?ver=110) encryption when target is Veean backup repository is done at VBR, which I interpret in our case as at backup proxy which has that repository as local disk space, or encryption is done at Veeam Agent computer if target is network share.
So solution to my problem can probably be: create network share at that backup proxy, and VBR creates network share repo and set is as target.
Other possible solution could be: Veeam Agent backup to offsite server at DR (used as copy backups target) with encryption enabled, then copy backup to backup proxy at primary with encryption enabled, but I do not see in help if encryption is in that case done at source or at target. Only I have found this post veeam-backup-replication-f2/encryption- ... 24065.html which claims that:
"If using a backup job with encryption specified, Veeam will unencrypt the data before sending it to my DR site. It will then re-encrypt the data before flight. My WAN accelerator will not be able to dedupe the data" and "Veeam handles transmitting data via the build-in WAN accelerator:
3. Data blocks are passed to the target backup repository in the unencrypted format.
4. Received data blocks are encrypted on the target site and stored to a resulting backup file on
the target backup repository."