Are backups end-to-end encrypted?

[johnsmith]

I am using Veeam Agent for Windows with encryption enabled. I have been reading the Veeam docs and am a bit confused. I would think that encrypted backups cannot be restored without the encryption password. However, I see in the docs that there are situations where Veeam can restore files from a backup without the encryption password (see https://helpcenter.veeam.com/docs/backu ... ml?ver=110) or Veeam is saving encryption keys in the repository (see https://helpcenter.veeam.com/docs/backu ... ml?ver=110). Is this accurate? If yes, then what is the point of encryption?

[Mildur]

Hi John

Yes, it‘s accurate. Your Veeam server or Agent has access to the encryption key. It‘s required or you would have to provide the key each time you are running a backup session.

The encryption protects the content in the backup files from being accessed outside your veeam installation.
If the backup storage was stolen or the backup files were copied over network/internet to another location by an attacker.

Thanks
Fabian

[johnsmith]

Thank you for the timely response.

So, if I only use the Agent (no server), then the encryption keys are only on my computer and are never sent anywhere else. Is it possible for someone to hook up Veeam Backup Enterprise Manager and restore from the backups (that are stored offsite)? I assume no, because the encryption keys never leave my computer, but just making sure.

[Mildur]

Your welcome, John.

I assume no, because the encryption keys never leave my computer, but just making sure.

If you target your Veeam Agent backup to a Veeam Backup Repository, then the encryption keys are managed by the VBR Server and not the Agent. Everyone on this VBR Server can restore the files.

If you backup to a cloud connect repository, the encryption keys will be managed by the Veeam Agent. The Cloud Connect provider doesn't have access to the content without the password.

If you backup directly from the agent to a local drive or NAS, the key will also be managed by the agent. Only the agent on your machine can open the backup files. If someone gets access to the backup files, they require the decryption password.

Is it possible for someone to hook up Veeam Backup Enterprise Manager and restore from the backups (that are stored offsite)?

He would require a Veeam Backup & Replication Server or another Agent. But without the decryption password, he doesn't have access.

Thanks
Fabian

[johnsmith]

Thank you. This is very helpful.

[johnsmith]

Sorry, one more clarification question. I made a backup using the Agent only to a local drive. Now I am going to upload that backup offsite to cloud storage. Am I safe to upload the .vbm file? I looked inside the file and it contains information that I don't think are the encryption keys, but just want to check.

[Mildur]

Hi John

Is this a manual upload by yourself?

Yes it‘s safe. They keys in the metadata file (vbm) are encrypted and can only be decrypted on another computer or backup server with the password.

[johnsmith]

Yes, a manual upload by myself. (Well, using Rclone, actually.) I wish the Agent could write directly to object storage, but alas!

Thank you, this has been very helpful.

[Mildur]

Your welcome

I wish the Agent could write directly to object storage, but alas!

This feature is planned for our next version.