- Posts: 2
- Liked: never
- Joined: Apr 16, 2009 11:00 am
I had a quick question about planned support for backup level encryption options. PCI compliance is a key driver for end to end encryption to be used throughout data transport for sensitive data. Will Veeam be able to support encryption of its VMWare backups? I know we can encrypt disks and eventually any tape backups done of the Veeam files, but an unencrypted backup file will be seen as a security risk in any good audit.
I know this is important for us, and I am sure all other areas of the IT industry are taking this more seriously these days.
Thanks in advance,
- Posts: 1
- Liked: never
- Joined: Dec 09, 2009 7:16 pm
- Full Name: Gene Tang
I'm curious how other users currently encrypt their offsite backups.Gostev wrote:Deox, yes this feature is planned for near term with high priority.
Currently we're using removable hard disks connecting to the Veeam 4.0 server via eSATA. When we perform a backup, we firstly backup to a staging area on the physical server, then at a specified time, use robocopy (via a batch script) to mirror the staging area and the offsite disk. This has appeared to work relatively well for us, albeit with a few caveats. For example, I have to mount the removable disk manually since we (as is required) have disabled automount on the Veeam server since it connects directly to the SAN. This in turn requires me to disconnect the iSCSI target from the server each time we want to mount the removable disk, to be absolutely sure that we don't accidentally initialize our SAN LUN's while we work on manually mounting the removable disk. Once the removable disk has been mounted we reconnect the SAN.
Now that I'm thinking of backup encryption, but I'm wondering what other users are doing. I've done some research, and the best I've come up is using TrueCrypt to encrypt the filesystem of the removable disk. What this means is I have to firstly manually mount the volume as I'm currently doing, then mount the encrypted TrueCrypt volume as an additional step. Only then can I reconnect the SAN to the Veeam server. The robocopy should still continue to work since it only copies to a drive letter. I'm unsure if this is the best method and I'm curious what other people do.
Thanks in advance.
- Posts: 14
- Liked: never
- Joined: Dec 06, 2018 4:04 pm
- Full Name: Nncy Smith
According to the documentation, the password for Backup file encryption are used to protect actual encryption key, which is generated randomly each time the job is run and stored in the backup file. Since Veeam recommended to update the password periodically, how the user can restore the files in case the password and encryption key were changed?
After password was updated, Do you change also encryption key (for existing backup jobs)?
- SVP, Product Management
- Posts: 29540
- Liked: 5613 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
Actually, as per documentation that you already quoted, data encryption key is changed every time the job runs anyway, so there's no point in changing it. Password is used to encrypt that randomly generated data encryption key, and this encrypted blob is stored in the backup file.
Thus, you need to know the password to extract that random encryption key, which will then in turn be used to decrypt data stored in the backup file.
- Veeam Software
- Posts: 20581
- Liked: 1984 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson