Maintain control of your Microsoft 365 data
Polina
Veeam Software
Posts: 3195
Liked: 774 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: encryption possible?

Post by Polina »

Hi Holger,

Encryption behavior didn't change, it's still not supported for Jet-based repositories.
HolgerE
Influencer
Posts: 11
Liked: 2 times
Joined: Mar 11, 2014 8:37 am
Full Name: Holger Ernst
Contact:

Re: encryption possible?

Post by HolgerE »

Hello Polina
Please clarify further:
Currently I assume that VBO doesn't encrypt my onPremise Jet-based backups. Documentation says "Backups in backup repositories must not be encrypted by 3rd party encryption software".
So even Bitlocker is not allowed. Is there any possible way for backup encryption on premise that Veeam could suggest?
Thanks
mcz
Veeam Legend
Posts: 945
Liked: 221 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: encryption possible?

Post by mcz »

I think you can use Bitlocker, because this would encrypt the data when it's written to the disk. The veeam service itself is able to read the data as if it was unencrypted...
Vitaliy S.
VP, Product Management
Posts: 27377
Liked: 2800 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: encryption possible?

Post by Vitaliy S. »

HolgerE wrote:So even Bitlocker is not allowed. Is there any possible way for backup encryption on premise that Veeam could suggest?
Michael is spot on. You can still use the Bitlocker.
schurmanryan
Lurker
Posts: 1
Liked: never
Joined: Mar 26, 2015 6:01 pm
Contact:

Re: encryption possible?

Post by schurmanryan »

Vitaliy,

Veeam Support has advised us that BitLocker isn't supported for a Veeam Office 365 backup repository. Do you know if this was due to errors reported or if it is just a recommended practice?

---

Has anybody else successfully implemented a VBO repository with BitLocker enabled?
Vitaliy S.
VP, Product Management
Posts: 27377
Liked: 2800 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: encryption possible?

Post by Vitaliy S. »

Did you contact our support team because you had issues with BitLocker or something else? I didn't hear anything from the dev team that it should not work, however, I can ask this question once again.
Vitaliy S.
VP, Product Management
Posts: 27377
Liked: 2800 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: encryption possible?

Post by Vitaliy S. »

Just received the update from our RnD team. Using BitLocker is fully supported (though the job performance will be a bit lower), there must be some miscommunication between you and our support engineer. Thanks!
johan.h
Veeam Software
Posts: 723
Liked: 185 times
Joined: Jun 05, 2013 9:45 am
Full Name: Johan Huttenga
Contact:

Re: encryption possible?

Post by johan.h » 2 people like this post

We've also gone ahead and updated the documentation for this. https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=50
e.rottier
Influencer
Posts: 22
Liked: 2 times
Joined: May 06, 2021 1:45 pm
Contact:

Re: encryption possible?

Post by e.rottier »

A request from 2016! :) +1

I would also very much like to request encryption on the database. If you cannot encrypt the Jet Blue DB at rest, then move to another system!
I really do not like the live/always-on database system because you cannot copy it or use backup-to-tape without stopping the related services, which I would really, really love to do. Backup-to-tape is the best defense against trouble of all kinds!

An administrator can go darkside, logs into the server, stops the services, copies the DB and uses it at home on another Veeam installation. Right? If the database would be encrypted, this cannot happen without access to the codes that lie in a physical vault residing next to the CEO. (for example)

Bitlocker is good and all, but not for people with admin access to the server, which can get stolen a lot easier then encryption key.
Gostev
Chief Product Officer
Posts: 31812
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: encryption possible?

Post by Gostev » 1 person likes this post

e.rottier@svhw.nl wrote: Aug 30, 2021 1:50 pmAn administrator can go darkside, logs into the server, stops the services, copies the DB and uses it at home on another Veeam installation. Right? If the database would be encrypted, this cannot happen without access to the codes that lie in a physical vault residing next to the CEO. (for example)
Importantly, there's no protection against a Local Administrator, because in any case the backup server itself has to have and actively use all encryption keys to be able to encrypt data during backup (and decrypt it during restores). While Local Administrator can always extract or intercept anything from any application.

But considering this guy also has access to the almighty credentials that the backup server uses to extract all data from Office 365, they don't even need to jump through the hoops here... they can just create their own copy directly from the source ;)
e.rottier
Influencer
Posts: 22
Liked: 2 times
Joined: May 06, 2021 1:45 pm
Contact:

Re: encryption possible?

Post by e.rottier »

Gostev wrote:But considering this guy also has access to the almighty credentials that the backup server uses to extract all data from Office 365
Isn't true I hope. Usually roles have separate access right? So the Exchange admin has those permissions, Azure admin global admin there etc. But the Windows server admin has those specific permissions.

I really hope (and I do think they are) the locally saved keys and credentials are locally encrypted as well so hackers can't extract them. This means this guy cannot get to the Office 365 credentials to steal them.

Edit: Also, it would be great if the Veeam consoles has permission management that are separate from the local admins. :lol:
mcz
Veeam Legend
Posts: 945
Liked: 221 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: encryption possible?

Post by mcz » 1 person likes this post

if you are a local admin, you could grab those credentials, because at a certain point they have to be decrypted to use them for the authentication on the office 365 side. You could also reverse-engineer the encryption method and then decrypt them on your own. This all is proven by the famous sentence: You cannot trust trusted code on an untrusted system. Untrusted system is in this case the system where the bad admin is acting.
Gostev
Chief Product Officer
Posts: 31812
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: encryption possible?

Post by Gostev » 1 person likes this post

e.rottier wrote: Sep 01, 2021 2:48 pmEdit: Also, it would be great if the Veeam consoles has permission management that are separate from the local admins. :lol:
This adds no real security value either, because local admins can always get themselves any application-specific role. As long as a software has the functionality to assign a role to a particular account, then root can leverage this function directly to obtain the same for any account of their choosing. Or just write the corresponding value directly into the application's database.

Repeat after me: there's no protection against Local Admins ;) and by the way, the ONLY difference with SaaS is that those admins work for some other company. So not only you lose all control over the staff who has access to your data, but also the possibility to audit what they are doing. While all the same potential threats from those folks with root privileges to application servers are still there.
e.rottier
Influencer
Posts: 22
Liked: 2 times
Joined: May 06, 2021 1:45 pm
Contact:

Re: encryption possible?

Post by e.rottier »

mcz wrote: Sep 01, 2021 3:50 pm if you are a local admin, you could grab those credentials, because at a certain point they have to be decrypted to use them for the authentication on the office 365 side.
Very true, but I strife to make it harder and take a lot more time to crack. The longer it takes to get to the data, the more likely they will give up or the value of the data goes down.
I would rather have an encrypted stolen then an unencrypted one.
Gostev wrote: there's no protection against Local Admins
Agree to disagree? :)
Ultimately, you are right. But I want the time in between to be as long and hard as possible.

For example, MS SQL also has a separate authentication system besides Windows/the domain. It works very well for them so far. I would've expected backups to be the same.
Gostev
Chief Product Officer
Posts: 31812
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: encryption possible?

Post by Gostev » 1 person likes this post

e.rottier wrote: Sep 06, 2021 2:55 pmFor example, MS SQL also has a separate authentication system besides Windows/the domain. It works very well for them so far. I would've expected backups to be the same.
But likewise, this separate authentication gives no added protection whatsoever, as anyone with local administrator privileges on the SQL Server machine can always get themselves SA in about the same time it took me to type this. This is simply the reality of "as long and hard as possible" when it comes to trying to protect against root. Or simply put, it is usually a complete waste of time to even implement.
marco.mandricardo
Lurker
Posts: 2
Liked: never
Joined: Mar 15, 2022 9:43 am
Full Name: Marco Mandricardo
Contact:

Re: encryption possible?

Post by marco.mandricardo »

Any News about it?
is the Object Storage the only way to achieve encryption?
nielsengelen
Product Manager
Posts: 5797
Liked: 1215 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: encryption possible?

Post by nielsengelen »

No changes to this for JetDB. Object Storage is currently the only way.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
ManuelS
Novice
Posts: 4
Liked: never
Joined: Sep 28, 2023 4:00 pm
Full Name: Manuel Srienz
Contact:

Re: encryption possible?

Post by ManuelS »

...a few years later, but I still miss the feature, unfortunately.
Encryption of data is now standard and mandatory, and Veeam is also very security-conscious.
Why is there still no solution?

I'm a VCSP and I can't offer and push Veeam 365 in my data center if all customer data (mail, OneDrive, Sharepoint) is stored unencrypted.

Is the feature in planning?
If not, why won't veeam implement it?
Gostev
Chief Product Officer
Posts: 31812
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: encryption possible?

Post by Gostev » 1 person likes this post

The feature is available when using object storage as a repository.
ManuelS
Novice
Posts: 4
Liked: never
Joined: Sep 28, 2023 4:00 pm
Full Name: Manuel Srienz
Contact:

Re: encryption possible?

Post by ManuelS »

Hello Gostev,

thanks for your reply, I know, but I will not buy a object storage for my customers to host data inside our area... ;-(

I would prefer a feature request. Veeam B&R and Agent also can do this by default
Gostev
Chief Product Officer
Posts: 31812
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: encryption possible?

Post by Gostev »

Sure, but they also don't use JetDB :D

Note that you don't necessarily have to "buy" as there are object storage solutions that can run on general-purpose servers, including free and open-source.

For your planning purposes, realistically I don't expect us to enhance legacy JetDB-based storage platform significantly because it will always miss some critical capabilities which are technically impossible to deliver on it, such as immutable backups.

Object storage is the future.
ManuelS
Novice
Posts: 4
Liked: never
Joined: Sep 28, 2023 4:00 pm
Full Name: Manuel Srienz
Contact:

Re: encryption possible?

Post by ManuelS »

ok thanks for your input, I will think about open source...
TitaniumCoder477
Veteran
Posts: 316
Liked: 48 times
Joined: Apr 07, 2015 1:53 pm
Full Name: James Wilmoth
Location: Kannapolis, North Carolina, USA
Contact:

Re: encryption possible?

Post by TitaniumCoder477 »

Try using MinIO. It's one of the most established S3-compatible gatways and is super easy to setup. You can use it to provide a S3-compatible target to your own storage hardware.
praveen.sharma
Veeam Software
Posts: 11
Liked: never
Joined: Sep 26, 2022 6:52 am
Full Name: Praveen Sharma
Contact:

Re: encryption possible?

Post by praveen.sharma »

Hi Team,

My one of the customer is looking for encryption in VBO with on-premises repository (SAN). Can you help me confirm if this is possible or do we have any solution for this.
Polina
Veeam Software
Posts: 3195
Liked: 774 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: encryption possible?

Post by Polina »

Hi Praveen,

Encryption is only available for object storage repositories and is not foreseen for on-premises Jet-based systems.

Thanks!
Post Reply

Who is online

Users browsing this forum: mnordstr and 30 guests