-
- Veeam Software
- Posts: 3195
- Liked: 774 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: encryption possible?
Hi Holger,
Encryption behavior didn't change, it's still not supported for Jet-based repositories.
Encryption behavior didn't change, it's still not supported for Jet-based repositories.
-
- Influencer
- Posts: 11
- Liked: 2 times
- Joined: Mar 11, 2014 8:37 am
- Full Name: Holger Ernst
- Contact:
Re: encryption possible?
Hello Polina
Please clarify further:
Currently I assume that VBO doesn't encrypt my onPremise Jet-based backups. Documentation says "Backups in backup repositories must not be encrypted by 3rd party encryption software".
So even Bitlocker is not allowed. Is there any possible way for backup encryption on premise that Veeam could suggest?
Thanks
Please clarify further:
Currently I assume that VBO doesn't encrypt my onPremise Jet-based backups. Documentation says "Backups in backup repositories must not be encrypted by 3rd party encryption software".
So even Bitlocker is not allowed. Is there any possible way for backup encryption on premise that Veeam could suggest?
Thanks
-
- Veeam Legend
- Posts: 945
- Liked: 221 times
- Joined: Jul 19, 2016 8:39 am
- Full Name: Michael
- Location: Rheintal, Austria
- Contact:
Re: encryption possible?
I think you can use Bitlocker, because this would encrypt the data when it's written to the disk. The veeam service itself is able to read the data as if it was unencrypted...
-
- VP, Product Management
- Posts: 27377
- Liked: 2800 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: encryption possible?
Michael is spot on. You can still use the Bitlocker.HolgerE wrote:So even Bitlocker is not allowed. Is there any possible way for backup encryption on premise that Veeam could suggest?
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Mar 26, 2015 6:01 pm
- Contact:
Re: encryption possible?
Vitaliy,
Veeam Support has advised us that BitLocker isn't supported for a Veeam Office 365 backup repository. Do you know if this was due to errors reported or if it is just a recommended practice?
---
Has anybody else successfully implemented a VBO repository with BitLocker enabled?
Veeam Support has advised us that BitLocker isn't supported for a Veeam Office 365 backup repository. Do you know if this was due to errors reported or if it is just a recommended practice?
---
Has anybody else successfully implemented a VBO repository with BitLocker enabled?
-
- VP, Product Management
- Posts: 27377
- Liked: 2800 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: encryption possible?
Did you contact our support team because you had issues with BitLocker or something else? I didn't hear anything from the dev team that it should not work, however, I can ask this question once again.
-
- VP, Product Management
- Posts: 27377
- Liked: 2800 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: encryption possible?
Just received the update from our RnD team. Using BitLocker is fully supported (though the job performance will be a bit lower), there must be some miscommunication between you and our support engineer. Thanks!
-
- Veeam Software
- Posts: 723
- Liked: 185 times
- Joined: Jun 05, 2013 9:45 am
- Full Name: Johan Huttenga
- Contact:
Re: encryption possible?
We've also gone ahead and updated the documentation for this. https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=50
-
- Influencer
- Posts: 22
- Liked: 2 times
- Joined: May 06, 2021 1:45 pm
- Contact:
Re: encryption possible?
A request from 2016! +1
I would also very much like to request encryption on the database. If you cannot encrypt the Jet Blue DB at rest, then move to another system!
I really do not like the live/always-on database system because you cannot copy it or use backup-to-tape without stopping the related services, which I would really, really love to do. Backup-to-tape is the best defense against trouble of all kinds!
An administrator can go darkside, logs into the server, stops the services, copies the DB and uses it at home on another Veeam installation. Right? If the database would be encrypted, this cannot happen without access to the codes that lie in a physical vault residing next to the CEO. (for example)
Bitlocker is good and all, but not for people with admin access to the server, which can get stolen a lot easier then encryption key.
I would also very much like to request encryption on the database. If you cannot encrypt the Jet Blue DB at rest, then move to another system!
I really do not like the live/always-on database system because you cannot copy it or use backup-to-tape without stopping the related services, which I would really, really love to do. Backup-to-tape is the best defense against trouble of all kinds!
An administrator can go darkside, logs into the server, stops the services, copies the DB and uses it at home on another Veeam installation. Right? If the database would be encrypted, this cannot happen without access to the codes that lie in a physical vault residing next to the CEO. (for example)
Bitlocker is good and all, but not for people with admin access to the server, which can get stolen a lot easier then encryption key.
-
- Chief Product Officer
- Posts: 31812
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: encryption possible?
Importantly, there's no protection against a Local Administrator, because in any case the backup server itself has to have and actively use all encryption keys to be able to encrypt data during backup (and decrypt it during restores). While Local Administrator can always extract or intercept anything from any application.e.rottier@svhw.nl wrote: ↑Aug 30, 2021 1:50 pmAn administrator can go darkside, logs into the server, stops the services, copies the DB and uses it at home on another Veeam installation. Right? If the database would be encrypted, this cannot happen without access to the codes that lie in a physical vault residing next to the CEO. (for example)
But considering this guy also has access to the almighty credentials that the backup server uses to extract all data from Office 365, they don't even need to jump through the hoops here... they can just create their own copy directly from the source
-
- Influencer
- Posts: 22
- Liked: 2 times
- Joined: May 06, 2021 1:45 pm
- Contact:
Re: encryption possible?
Isn't true I hope. Usually roles have separate access right? So the Exchange admin has those permissions, Azure admin global admin there etc. But the Windows server admin has those specific permissions.Gostev wrote:But considering this guy also has access to the almighty credentials that the backup server uses to extract all data from Office 365
I really hope (and I do think they are) the locally saved keys and credentials are locally encrypted as well so hackers can't extract them. This means this guy cannot get to the Office 365 credentials to steal them.
Edit: Also, it would be great if the Veeam consoles has permission management that are separate from the local admins.
-
- Veeam Legend
- Posts: 945
- Liked: 221 times
- Joined: Jul 19, 2016 8:39 am
- Full Name: Michael
- Location: Rheintal, Austria
- Contact:
Re: encryption possible?
if you are a local admin, you could grab those credentials, because at a certain point they have to be decrypted to use them for the authentication on the office 365 side. You could also reverse-engineer the encryption method and then decrypt them on your own. This all is proven by the famous sentence: You cannot trust trusted code on an untrusted system. Untrusted system is in this case the system where the bad admin is acting.
-
- Chief Product Officer
- Posts: 31812
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: encryption possible?
This adds no real security value either, because local admins can always get themselves any application-specific role. As long as a software has the functionality to assign a role to a particular account, then root can leverage this function directly to obtain the same for any account of their choosing. Or just write the corresponding value directly into the application's database.
Repeat after me: there's no protection against Local Admins and by the way, the ONLY difference with SaaS is that those admins work for some other company. So not only you lose all control over the staff who has access to your data, but also the possibility to audit what they are doing. While all the same potential threats from those folks with root privileges to application servers are still there.
-
- Influencer
- Posts: 22
- Liked: 2 times
- Joined: May 06, 2021 1:45 pm
- Contact:
Re: encryption possible?
Very true, but I strife to make it harder and take a lot more time to crack. The longer it takes to get to the data, the more likely they will give up or the value of the data goes down.
I would rather have an encrypted stolen then an unencrypted one.
Agree to disagree?Gostev wrote: there's no protection against Local Admins
Ultimately, you are right. But I want the time in between to be as long and hard as possible.
For example, MS SQL also has a separate authentication system besides Windows/the domain. It works very well for them so far. I would've expected backups to be the same.
-
- Chief Product Officer
- Posts: 31812
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: encryption possible?
But likewise, this separate authentication gives no added protection whatsoever, as anyone with local administrator privileges on the SQL Server machine can always get themselves SA in about the same time it took me to type this. This is simply the reality of "as long and hard as possible" when it comes to trying to protect against root. Or simply put, it is usually a complete waste of time to even implement.
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Mar 15, 2022 9:43 am
- Full Name: Marco Mandricardo
- Contact:
Re: encryption possible?
Any News about it?
is the Object Storage the only way to achieve encryption?
is the Object Storage the only way to achieve encryption?
-
- Product Manager
- Posts: 5797
- Liked: 1215 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: encryption possible?
No changes to this for JetDB. Object Storage is currently the only way.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Novice
- Posts: 4
- Liked: never
- Joined: Sep 28, 2023 4:00 pm
- Full Name: Manuel Srienz
- Contact:
Re: encryption possible?
...a few years later, but I still miss the feature, unfortunately.
Encryption of data is now standard and mandatory, and Veeam is also very security-conscious.
Why is there still no solution?
I'm a VCSP and I can't offer and push Veeam 365 in my data center if all customer data (mail, OneDrive, Sharepoint) is stored unencrypted.
Is the feature in planning?
If not, why won't veeam implement it?
Encryption of data is now standard and mandatory, and Veeam is also very security-conscious.
Why is there still no solution?
I'm a VCSP and I can't offer and push Veeam 365 in my data center if all customer data (mail, OneDrive, Sharepoint) is stored unencrypted.
Is the feature in planning?
If not, why won't veeam implement it?
-
- Chief Product Officer
- Posts: 31812
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: encryption possible?
The feature is available when using object storage as a repository.
-
- Novice
- Posts: 4
- Liked: never
- Joined: Sep 28, 2023 4:00 pm
- Full Name: Manuel Srienz
- Contact:
Re: encryption possible?
Hello Gostev,
thanks for your reply, I know, but I will not buy a object storage for my customers to host data inside our area... ;-(
I would prefer a feature request. Veeam B&R and Agent also can do this by default
thanks for your reply, I know, but I will not buy a object storage for my customers to host data inside our area... ;-(
I would prefer a feature request. Veeam B&R and Agent also can do this by default
-
- Chief Product Officer
- Posts: 31812
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: encryption possible?
Sure, but they also don't use JetDB
Note that you don't necessarily have to "buy" as there are object storage solutions that can run on general-purpose servers, including free and open-source.
For your planning purposes, realistically I don't expect us to enhance legacy JetDB-based storage platform significantly because it will always miss some critical capabilities which are technically impossible to deliver on it, such as immutable backups.
Object storage is the future.
Note that you don't necessarily have to "buy" as there are object storage solutions that can run on general-purpose servers, including free and open-source.
For your planning purposes, realistically I don't expect us to enhance legacy JetDB-based storage platform significantly because it will always miss some critical capabilities which are technically impossible to deliver on it, such as immutable backups.
Object storage is the future.
-
- Novice
- Posts: 4
- Liked: never
- Joined: Sep 28, 2023 4:00 pm
- Full Name: Manuel Srienz
- Contact:
Re: encryption possible?
ok thanks for your input, I will think about open source...
-
- Veteran
- Posts: 316
- Liked: 48 times
- Joined: Apr 07, 2015 1:53 pm
- Full Name: James Wilmoth
- Location: Kannapolis, North Carolina, USA
- Contact:
Re: encryption possible?
Try using MinIO. It's one of the most established S3-compatible gatways and is super easy to setup. You can use it to provide a S3-compatible target to your own storage hardware.
-
- Veeam Software
- Posts: 11
- Liked: never
- Joined: Sep 26, 2022 6:52 am
- Full Name: Praveen Sharma
- Contact:
Re: encryption possible?
Hi Team,
My one of the customer is looking for encryption in VBO with on-premises repository (SAN). Can you help me confirm if this is possible or do we have any solution for this.
My one of the customer is looking for encryption in VBO with on-premises repository (SAN). Can you help me confirm if this is possible or do we have any solution for this.
-
- Veeam Software
- Posts: 3195
- Liked: 774 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: encryption possible?
Hi Praveen,
Encryption is only available for object storage repositories and is not foreseen for on-premises Jet-based systems.
Thanks!
Encryption is only available for object storage repositories and is not foreseen for on-premises Jet-based systems.
Thanks!
Who is online
Users browsing this forum: mnordstr and 30 guests