encryption possible?

[mcz]

Hi guys,

I am missing the functionality to encrypt my office365 backup. Is this not part of the beta?
By the way: Will there be a full integration into veeam b & r when the product goes rtm?

Thank you!

[russell01]

+1 for this - Encryption is a must have feature

[Vitaliy S.]

What kind of integration are you searching for? Do you want to use backup repository encryption, backup copy jobs and built-in Explorer functionality?

[mcz]

the backup itself should be encrypted and it would be nice to manage the whole office 365-thing from the common b & r console. But I would say encryption is a must have.

[Vitaliy S.]

Ok, thanks for sharing your ideas! When this product goes GA, there will be no integration with Veeam B&R, however based on the feedback we receive, it can be added in our next releases.

[akz11]

+1 for encryption at rest.

[Mike Resseler]

Hi @akz11,

Encryption at rest is not included at this moment. The data is also stored in a running database of the type Jet Blue. Does bitlocker on the volume where you store your data a solution?

[mcz]

Hi Mike,

any news? I know that it's not that easy to implement encryption with Jet Blue databases but you know, compliance and (data) security is a very important part, especially when you are using air-gapped-backups which are not on premises...

[Mike Resseler]

Michael,

Not sure what you mean by this. If you use air-gapped-backups, does that mean you backup the VBO VM with VBR? In that case you can put encryption on the backup?

[mcz]

Mike I mean we are copying repository's content to another location. Unfortunatley our backup repository is on a NAS (iSCSI) and therefore we cannot backup it up via veeam (or better said not yet )

[Mike Resseler]

In that case, still no encryption. As said above, bitlocker is a way to do it, but I guess that won't work on your NAS either. I am not aware of potential encryption on a JetBlue database at this moment but to restore data, you will need the organization username and password.

Just opening the database will give you a lot of columns and tables, but it won't make any sense

[quincy71q]

Mike

I would like to start hosting tenets data on my environment, I can split the tenets so that they cant see each other data but what stops anyone on the SP side from accessing any data in the backups.
Ideally each tenet should be able to encrypt/lock down a backup so that I as service provider don't have access to the whole organisations email

[Mike Resseler]

Hi Quicncy,

Understood the use-case. But as you can see above we don't have it at this moment. This is certainly something we have in mind but the next version won't contain it. We are focused on delivering the SharePoint and OneDrive requirements first. After that we can put it on the table again

[krakhger]

Hi all!
I am hosting office 365 backup for some small tenants. This is because they have only Laptops and iOS devices and no infrastructure for doing Office365 Backup.


I figured out that on my infrastructure I can open the backup with Veeam Explorer for Exchange without needing any password.
Regarding GDPR I am a processor, if I even store personal data for a customer. But if the data are encrypted, they are temporarely no personal data until decryption. So if I had only encrypted data on my repositories, I am not a processor and not affected by GDPR.

A Customer asked me to evaluate this regarding GDPR compliance, and I am afraid, this procedure is not compliant because anyone how get the files can access the data.
Ok, I can encyrpt the Storage where the office 365 files reside on. It is also not possible to copy the adb files because the office 365 Service keeps it locked. But every support engineer who as access to the infrastructure has also access to the tenants data.

In my opinion, to be able to operate Veeam Backup for Microsoft Office 365 and to avoid to be a processor, the data must be encrypted.
This is my private Technical Point of view, I am not a laywer!

Gerhard

[Mike Resseler]

Hi Gerhard,

First: welcome to the forums!

To make sure we are on the same page. You are storing data, so you are a processor. No matter if it is encrypted or not. Being a processor under GDPR is defined very broad, and simply storing data makes you already a processor.

That being said: it is not because you have access to the files that you are not compliant. However, as a processor, you do need to be able to audit that access. Inside the solution, we are building logging (for the next version) that will allow you to audit who has opened Veeam explorer for exchange, what he or she has done (including previewing data) and what he/ she has restored. That is step 1.

I am very much aware that this is not enough, on the file level (through windows auditing) you will most probably need to do the same thing (or if you have another 3rd party solution for that). In the end, every "workload" can be temporary stopped and files can be copied. This goes for this solution but also for VMs, for files if you are hosting file services or even websites. Which means that every IT administrator in your environment can be doing unauthorized things.

A next step (as I said already above) is to take it one step further and get encryption at rest with a key (or keys) that are only known by tenants. But even in that case, you will have to do more as I explained above.

To conclude, trying to make sure that you as a processor don't have access to data is practically impossible, and it is also not forbidden. But being able to audit what is going on is possible and is necessary for audits and research in case something happens

Makes sense?

Cheers
Mike

[jbcap]

For protecting the store - would standard windows file permissions work here? i.e. If we were to restrict folder permissions to a defined authorised user, and set the Veeam service to work under this context.

[Mike Resseler]

Jim,
First: Welcome to our forums!

I have not tested and worked with standard windows file permissions but I assume it will work. It is indeed the Veeam service that accesses the data but please note the required permissions in the user guide (https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=20). It states that this service needs to run under the local system account

[TitaniumCoder477]

Mike,

While I am proficient as a Service Provider for Veeam B&R, I am very new to this particular product. At this point, I am still doing a comparative analysis of CloudBerry, Veeam, and Datto's 365 backup products. Am I correct in understanding that Veeam's 365 backup product does not encrypt data at rest? If not, surely the data is encrypted in transit at least? I cannot seem to find anything about encryption (yay or nay) in Veeam Backup for Microsoft Office 365 2.0 User Guide.

Thanks!

[Mike Resseler]

Encryption in transit is indeed happening.

[fantis]

Hi,
any news about encryption at rest.
Is still not available for office365 backups

Thanks

[Polina]

Hi Fantis and welcome to Veeam Forums!

There're no changes in terms of encryption in 3.0, but we're looking into some options for the future releases.

[niffur00]

Veeam really needs to make per-organization encryption at rest a priority.

[Polina]

Chris,

Your request is noted, thanks!

[c.schulzejn]

Pls note mine too =)

[stephen.loera]

I would like to +1 this feature also.

Thank you for the development work!

[lasseoe]

+1 for this.

As a service provider this is an absolute MUST HAVE, without encryption at-rest it's a security and GDPR nightmare within the EU, basically a no-go.

[Polina]

Lasse,

I'll echo Niel's response in another thread: v4 will deliver encryption for object storage repositories and everyone who's interested in this feature can join the beta-testing and share their feedback.

[dimaslan]

What do you mean encryption for data at rest though? The same as with encrypted backups, so Veeam Backup for O365 would need a key to open the VBO database?
So, if someone would copy the Jet Blue database to another machine and install VBO would not be able to read it?

[Mike Resseler]

Hi dimaslan,

Correct. Even if you copy the Jet Blue config database, to another machine, your "vault" with keys is not readable anymore.

[HolgerE]

There is VBO 5.0 out there.
Is it still correct that VBO encrypts only data at "Object Storage Repositories", not at regular onPremise "Backup Repositories"?
I even see this information in the user guide concerning encryption in VBO 5.0: "Backups in backup repositories must not be encrypted by 3rd party encryption software as it leads to unpredictable system behavior and inevitable data loss."
Any hints or workarounds to enable encryption onPremise also?