-
- Lurker
- Posts: 2
- Liked: never
- Joined: Apr 16, 2009 11:00 am
- Contact:
Backup Encryption and PCI compliance
Hi All (Gostev)
I had a quick question about planned support for backup level encryption options. PCI compliance is a key driver for end to end encryption to be used throughout data transport for sensitive data. Will Veeam be able to support encryption of its VMWare backups? I know we can encrypt disks and eventually any tape backups done of the Veeam files, but an unencrypted backup file will be seen as a security risk in any good audit.
I know this is important for us, and I am sure all other areas of the IT industry are taking this more seriously these days.
Thanks in advance,
Deox.
I had a quick question about planned support for backup level encryption options. PCI compliance is a key driver for end to end encryption to be used throughout data transport for sensitive data. Will Veeam be able to support encryption of its VMWare backups? I know we can encrypt disks and eventually any tape backups done of the Veeam files, but an unencrypted backup file will be seen as a security risk in any good audit.
I know this is important for us, and I am sure all other areas of the IT industry are taking this more seriously these days.
Thanks in advance,
Deox.
-
- Chief Product Officer
- Posts: 31789
- Liked: 7291 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Backup Encryption and PCI compliance
Deox, yes this feature is planned for near term with high priority.
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Dec 09, 2009 7:16 pm
- Full Name: Gene Tang
- Contact:
Re: Backup Encryption and PCI compliance
I'm curious how other users currently encrypt their offsite backups.Gostev wrote:Deox, yes this feature is planned for near term with high priority.
Currently we're using removable hard disks connecting to the Veeam 4.0 server via eSATA. When we perform a backup, we firstly backup to a staging area on the physical server, then at a specified time, use robocopy (via a batch script) to mirror the staging area and the offsite disk. This has appeared to work relatively well for us, albeit with a few caveats. For example, I have to mount the removable disk manually since we (as is required) have disabled automount on the Veeam server since it connects directly to the SAN. This in turn requires me to disconnect the iSCSI target from the server each time we want to mount the removable disk, to be absolutely sure that we don't accidentally initialize our SAN LUN's while we work on manually mounting the removable disk. Once the removable disk has been mounted we reconnect the SAN.
Now that I'm thinking of backup encryption, but I'm wondering what other users are doing. I've done some research, and the best I've come up is using TrueCrypt to encrypt the filesystem of the removable disk. What this means is I have to firstly manually mount the volume as I'm currently doing, then mount the encrypted TrueCrypt volume as an additional step. Only then can I reconnect the SAN to the Veeam server. The robocopy should still continue to work since it only copies to a drive letter. I'm unsure if this is the best method and I'm curious what other people do.
Thanks in advance.
-
- Influencer
- Posts: 14
- Liked: never
- Joined: Dec 06, 2018 4:04 pm
- Full Name: Nncy Smith
- Contact:
Re: Backup Encryption and PCI compliance
Hi,
According to the documentation, the password for Backup file encryption are used to protect actual encryption key, which is generated randomly each time the job is run and stored in the backup file. Since Veeam recommended to update the password periodically, how the user can restore the files in case the password and encryption key were changed?
After password was updated, Do you change also encryption key (for existing backup jobs)?
Thank you,
According to the documentation, the password for Backup file encryption are used to protect actual encryption key, which is generated randomly each time the job is run and stored in the backup file. Since Veeam recommended to update the password periodically, how the user can restore the files in case the password and encryption key were changed?
After password was updated, Do you change also encryption key (for existing backup jobs)?
Thank you,
-
- Chief Product Officer
- Posts: 31789
- Liked: 7291 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Backup Encryption and PCI compliance
Hello!
Actually, as per documentation that you already quoted, data encryption key is changed every time the job runs anyway, so there's no point in changing it. Password is used to encrypt that randomly generated data encryption key, and this encrypted blob is stored in the backup file.
Thus, you need to know the password to extract that random encryption key, which will then in turn be used to decrypt data stored in the backup file.
Thanks!
Actually, as per documentation that you already quoted, data encryption key is changed every time the job runs anyway, so there's no point in changing it. Password is used to encrypt that randomly generated data encryption key, and this encrypted blob is stored in the backup file.
Thus, you need to know the password to extract that random encryption key, which will then in turn be used to decrypt data stored in the backup file.
Thanks!
-
- Veeam Software
- Posts: 21138
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Backup Encryption and PCI compliance
And if you change the password, depending on how data was imported in Veeam B&R, you would either need the latest or the entire set of passwords used for the particular backup chain. You may even do not need to specify a password at all, provided all the encryption keys are available in Veeam B&R configuration.
-
- Influencer
- Posts: 14
- Liked: never
- Joined: Dec 06, 2018 4:04 pm
- Full Name: Nncy Smith
- Contact:
Re: Backup Encryption and PCI compliance
Thank you
Who is online
Users browsing this forum: Google [Bot] and 25 guests