Comprehensive data protection for all workloads
Post Reply
Deox
Lurker
Posts: 2
Liked: never
Joined: Apr 16, 2009 11:00 am
Contact:

Backup Encryption and PCI compliance

Post by Deox »

Hi All (Gostev)

I had a quick question about planned support for backup level encryption options. PCI compliance is a key driver for end to end encryption to be used throughout data transport for sensitive data. Will Veeam be able to support encryption of its VMWare backups? I know we can encrypt disks and eventually any tape backups done of the Veeam files, but an unencrypted backup file will be seen as a security risk in any good audit.

I know this is important for us, and I am sure all other areas of the IT industry are taking this more seriously these days.

Thanks in advance,

Deox.

Gostev
SVP, Product Management
Posts: 26678
Liked: 4268 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Backup Encryption and PCI compliance

Post by Gostev »

Deox, yes this feature is planned for near term with high priority.

GeneNZ
Lurker
Posts: 1
Liked: never
Joined: Dec 09, 2009 7:16 pm
Full Name: Gene Tang
Contact:

Re: Backup Encryption and PCI compliance

Post by GeneNZ »

Gostev wrote:Deox, yes this feature is planned for near term with high priority.
I'm curious how other users currently encrypt their offsite backups.

Currently we're using removable hard disks connecting to the Veeam 4.0 server via eSATA. When we perform a backup, we firstly backup to a staging area on the physical server, then at a specified time, use robocopy (via a batch script) to mirror the staging area and the offsite disk. This has appeared to work relatively well for us, albeit with a few caveats. For example, I have to mount the removable disk manually since we (as is required) have disabled automount on the Veeam server since it connects directly to the SAN. This in turn requires me to disconnect the iSCSI target from the server each time we want to mount the removable disk, to be absolutely sure that we don't accidentally initialize our SAN LUN's while we work on manually mounting the removable disk. Once the removable disk has been mounted we reconnect the SAN.

Now that I'm thinking of backup encryption, but I'm wondering what other users are doing. I've done some research, and the best I've come up is using TrueCrypt to encrypt the filesystem of the removable disk. What this means is I have to firstly manually mount the volume as I'm currently doing, then mount the encrypted TrueCrypt volume as an additional step. Only then can I reconnect the SAN to the Veeam server. The robocopy should still continue to work since it only copies to a drive letter. I'm unsure if this is the best method and I'm curious what other people do.

Thanks in advance.

Nancy
Influencer
Posts: 14
Liked: never
Joined: Dec 06, 2018 4:04 pm
Full Name: Nncy Smith
Contact:

Re: Backup Encryption and PCI compliance

Post by Nancy »

Hi,
According to the documentation, the password for Backup file encryption are used to protect actual encryption key, which is generated randomly each time the job is run and stored in the backup file. Since Veeam recommended to update the password periodically, how the user can restore the files in case the password and encryption key were changed?
After password was updated, Do you change also encryption key (for existing backup jobs)?
Thank you,

Gostev
SVP, Product Management
Posts: 26678
Liked: 4268 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Backup Encryption and PCI compliance

Post by Gostev »

Hello!

Actually, as per documentation that you already quoted, data encryption key is changed every time the job runs anyway, so there's no point in changing it. Password is used to encrypt that randomly generated data encryption key, and this encrypted blob is stored in the backup file.

Thus, you need to know the password to extract that random encryption key, which will then in turn be used to decrypt data stored in the backup file.

Thanks!

foggy
Veeam Software
Posts: 19433
Liked: 1763 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Backup Encryption and PCI compliance

Post by foggy »

And if you change the password, depending on how data was imported in Veeam B&R, you would either need the latest or the entire set of passwords used for the particular backup chain. You may even do not need to specify a password at all, provided all the encryption keys are available in Veeam B&R configuration.

Nancy
Influencer
Posts: 14
Liked: never
Joined: Dec 06, 2018 4:04 pm
Full Name: Nncy Smith
Contact:

Re: Backup Encryption and PCI compliance

Post by Nancy »

Thank you

Post Reply

Who is online

Users browsing this forum: Baidu [Spider], Google [Bot] and 29 guests