Comprehensive data protection for all workloads
murdocmk
Enthusiast
Posts: 25
Liked: 4 times
Joined: Dec 14, 2009 5:10 pm
Contact:

Re: Encrypted Offsite Backup Files

Post by murdocmk »

"Storing the backup files on an encrypted volume is not enough. If the server OS is compromised then the encrypted volume is also - giving them direct access to the vbk's which can be imported without any form of password protection."

I agree with this, in terms of encrypting the volume not being "enough" .. but what can any backup software do to really be "enough"? Even if the backup data was encrypted the backup software still needs to be able to access that data. So wouldn't compromising the backup server also gain someone access to that data, even if the backup files themselves were encrypted? So in that regard I'm not sure encrypted backups are much different than an encrypted volume. Certainly in other ways there are differences ... encrypted backup files are safer to move around, for example.

It's just that at-rest encryption is not really a protection against active (live server) attacks, which is the scenario you describe. Other security controls should be in place to reduce those risks. I think that an encrypted volume answers the "at-rest" encryption problem in a relatively equivalent way to encrypted backup files. Either situation really just protects you from someone walking away with your disk drives. Neither situation really protects you from someone compromising live servers. What am I overlooking?
alex76576575
Lurker
Posts: 1
Liked: 1 time
Joined: Oct 11, 2012 10:21 am
Full Name: Alex
Contact:

Re: Encrypted Offsite Backup Files

Post by alex76576575 » 1 person likes this post

Lets suppose we replicate vbk files to various destinations - 3rd party cloud storage, intra-company remote storage, a USB hdd attached directly to a NAS device.

1) When backing up to a 3rd party cloud storage we cannot guarantee that some employee within that 3rd party company would not access our unencrypted vbk file.

2) An intra-company remote storage is controlled by us and is fully trusted, so we do not need to encrypt a vbk file

3) When backing up to a USB hdd we can easily encrypt the USB storage by means of a NAS device.
However in an event of a disaster (ie Fire) the NAS device may physically break and we will be stuck with an unreadable USB hdd, until a new NAS device, of similar maker, is ordered and arrived. Hence we have no choice, but to get rid of the weakest link and to copy unecrypted vbk onto the USB, so it can be read by any PC. Also increasing the risk of information leak if hdd is lost or stolen.

Also, as was already mentioned some compliance standards require that backup file is encrypted.

In total, vbk encryption is a much needed feature and it would remove a lot of administrative overhead, as well as allow Veeam to become a product of choice for companies that have to follow certain compiance requirements.
cparker4486
Expert
Posts: 231
Liked: 18 times
Joined: Dec 07, 2009 5:09 pm
Full Name: Chris
Contact:

Re: Encrypted Offsite Backup Files

Post by cparker4486 »

alex76576575 wrote:In total, vbk encryption is a much needed feature and it would remove a lot of administrative overhead, as well as allow Veeam to become a product of choice for companies that have to follow certain compiance requirements.
+1
-- Chris
cinek
Novice
Posts: 9
Liked: never
Joined: Sep 14, 2012 10:14 am
Full Name: Martin C
Contact:

[MERGED] encrypt hyper-v backups?

Post by cinek »

is it possible to encrypt backups with veeam backup & replication? If not, are there any other options?
bbowers
Novice
Posts: 8
Liked: never
Joined: Mar 24, 2010 9:31 pm
Full Name: Bump
Contact:

[MERGED] Encrypting Backups

Post by bbowers »

In the recent forum blast they mentioned some cases in which TrueCrypt was causing backup file corruption. Every backup product I've ever used has had this functionality built-in. It would be nice to have the ability to encrypt the backups with a key/passphrase. Is this something in the works at some point?

It seems that many people are also forced to put together scripts and stuff to rotate to external drives. Veeam is a great backup product, but why can't I easily duplicate to external drives or tapes and encrypt yet?
pendragoncrw
Enthusiast
Posts: 38
Liked: 3 times
Joined: Jun 14, 2010 3:06 am
Full Name: C White
Contact:

Re: Encrypted Offsite Backup Files

Post by pendragoncrw »

+1 for the feature request. It is the only thing forcing us to use third-party tools for part of our backup life-cycle.

Chris
stljack
Influencer
Posts: 14
Liked: 1 time
Joined: Nov 06, 2012 4:11 pm
Contact:

Re: Encrypted Offsite Backup Files

Post by stljack »

+1 for this feature request! Encrypted backups can be a requirement, and definately should be on the Veeam roadmap.
cparker4486
Expert
Posts: 231
Liked: 18 times
Joined: Dec 07, 2009 5:09 pm
Full Name: Chris
Contact:

[MERGED] How are you encrypting your backup files?

Post by cparker4486 »

Hello,

My plan is to use 7-Zip's command line utility (7za.exe) to encrypt my VBK files with -mx0 (no compression). After encrypting the files I will send them to long-term storage (tape and Amazon Glacier to be specific). I think 7-Zip is about as simple as it gets.

By the way, this is mostly just an exploratory thing for me: find out how others do it. But I'd also be interested in hearing if the performance of your current system played a part in choosing it.
-- Chris
dellock6
VeeaMVP
Posts: 6165
Liked: 1971 times
Joined: Jul 26, 2009 3:39 pm
Full Name: Luca Dell'Oca
Location: Varese, Italy
Contact:

Re: Encrypted Offsite Backup Files

Post by dellock6 »

I'm starting some tests with CloudBerry Explorer, it supports both Amazon S3 and Glacier (and other cloud storage too), and it can directly encrypt files while sending them, so all could be automated in one single process. Stay tuned :)

Luca.
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software

@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2022
Veeam VMCE #1
itdirector
Enthusiast
Posts: 59
Liked: 3 times
Joined: Jan 19, 2012 8:53 pm
Full Name: friedman

Re: Encrypted Offsite Backup Files

Post by itdirector »

Luca, any update on your testing? I am looking an app like cloudberry to copy our VBR backups stored at our DR site to Amazon Glacier.
We have about 10TB of initial data, & I was planning on copying our monthly backups to Amazon, monthly.
andersonts
Veteran
Posts: 307
Liked: 31 times
Joined: Mar 21, 2012 9:56 pm
Full Name: Tim Anderson
Contact:

Re: Encrypted Offsite Backup Files

Post by andersonts »

At the risk of sounding like a salesperson :D You might want to check out the new Veeam Cloud Edition as it supports this as well. You can upgrade/convert existing Veeam licensing. You can contact your preferred Veeam partner or find more information here: http://www.veeam.com/videos/veeam-backu ... -1990.html

Of course you will want to use whatever technology works the best for your needs!
dellock6
VeeaMVP
Posts: 6165
Liked: 1971 times
Joined: Jul 26, 2009 3:39 pm
Full Name: Luca Dell'Oca
Location: Varese, Italy
Contact:

Re: Encrypted Offsite Backup Files

Post by dellock6 »

No, any update on it, too much "real" work in these weeks to have spare time for testing and blogging. Also, cloudberry is the software used to create Veeam Cloud Edition (looking at the screenshots and also to the binaries you can tell it) so I think every test with both software would give same results. Anyway, the draft post is istill there, I'll complete it one day... :(

Luca.
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software

@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2022
Veeam VMCE #1
KiwiJJ
Expert
Posts: 105
Liked: 2 times
Joined: Feb 16, 2010 8:05 pm
Full Name: John Jones
Location: New Zealand

Re: Encrypted Offsite Backup Files

Post by KiwiJJ »

We backup to a removable USB drive that has a key inserted in the drive that provides hardware encrytption. Without this key the drive is unreadable. This is using the Addonics Saturn drive
Martijn
Novice
Posts: 5
Liked: never
Joined: Oct 26, 2010 1:03 pm
Full Name: Martijn Heemels
Contact:

Re: Encrypted Offsite Backup Files

Post by Martijn »

We write the .vbk file to tape weekly via Backup Exec. It encrypts the contents of the tape using the hardware encryption support on our tape drive.
sdelacruz
Enthusiast
Posts: 64
Liked: 4 times
Joined: Feb 01, 2011 8:09 pm
Full Name: Sam De La Cruz
Contact:

Re: Encrypted Offsite Backup Files

Post by sdelacruz »

@Martijn
Do you only backup the vbk file? Have you tried doing a restore of from tape to disk then back to veeam?
I am having problems opening that vbk file on veeam onces restored back to disk.
foggy
Veeam Software
Posts: 21133
Liked: 2140 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Encrypted Offsite Backup Files

Post by foggy »

Sam, what kind of problems do you have? Do you get any particular error while importing the VBK file into Veeam B&R console?
Starman
Enthusiast
Posts: 44
Liked: 10 times
Joined: Sep 27, 2011 5:11 pm
Full Name: Todd Leavitt
Contact:

[MERGED] Encryption?

Post by Starman »

We are dealing with more and more clients who are asking the question "are your backups encrypted". I can see a valid and simple to implement this in Veeam as simple as setting a backup job up with a password needed to restore. Any chance at this?
Vitaliy S.
VP, Product Management
Posts: 27353
Liked: 2785 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Encrypted Offsite Backup Files

Post by Vitaliy S. »

Hello Todd, for more info on the chances, please take a look at the existing discussion of this feature request.
rsavo
Novice
Posts: 4
Liked: never
Joined: Jan 01, 2006 1:01 am
Contact:

Re: Encrypted Offsite Backup Files

Post by rsavo »

Dear All,

Is there any update on this with version 7 ?

My apologies if this is documented somewhere, I could not find a precise info about this

tx
foggy
Veeam Software
Posts: 21133
Liked: 2140 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Encrypted Offsite Backup Files

Post by foggy »

No changes regarding that in v7.
natrimac
Influencer
Posts: 16
Liked: 1 time
Joined: May 13, 2013 2:37 pm
Full Name: Will Pulsifer
Contact:

Re: Encrypted Offsite Backup Files

Post by natrimac » 1 person likes this post

Any news on this. Looks like you guys have been kicking the can down the road on this for 4 versions now. We are PCI regulated business and are asking this question all the time by our clients and auditors. They aren't requiring it now, but they will be soon. Cmon guys this shouldn't be that hard to add.
Gostev
Chief Product Officer
Posts: 31757
Liked: 7259 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Encrypted Offsite Backup Files

Post by Gostev » 1 person likes this post

No news since the previous reply 3 weeks ago... we move fast, but not that fast ;)

Currently, we only provide backup encryption in the Cloud Edition of our product (essentially, you can apply encryption to backups that are copied by Veeam Cloud Backup on-site or to the cloud). We are also working on integrating encryption right into the backup jobs.
Fiskepudding
Expert
Posts: 213
Liked: 26 times
Joined: Feb 01, 2012 7:24 am
Full Name: Espen Dykesteen
Contact:

Re: Encrypted Offsite Backup Files

Post by Fiskepudding »

Encryption directly in to the backup job would be very nice!

That’s the ONLY thing I miss from Acronis. You could set it directly on the job.

START :twisted:
Probably the only thing that actually worked properly with their product
END :twisted:
Gostev
Chief Product Officer
Posts: 31757
Liked: 7259 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Encrypted Offsite Backup Files

Post by Gostev »

It's hard to implement most basic encryption (like one found in competitive solutions) incorrectly, and it can probably be done in 1-2 weeks by a single developer. However, this kind of encryption may do more bad, than good eventually (may be a good topic for my next TechEd/VMworld session btw). We did not want to deliver this kind of implementation, we took our time and waited until we have resources to do it "right".

Sure, it all comes down to the same "checkbox" in the marketing document, but we always go beyond checkboxes and are thinking about addressing all the actual use cases around the functionality we are adding.
larry
Veteran
Posts: 387
Liked: 97 times
Joined: Mar 24, 2010 5:47 pm
Full Name: Larry Walker
Contact:

Re: Encrypted Offsite Backup Files

Post by larry » 1 person likes this post

What I have done with removable disks, usb sticks and internal drives is to use true crypt to mount the encrypted drive. It does require the admin to enter passwords each time the server is rebooted. ( You can auto-mount but…) When the drive is removed it is encrypted and can’t be accessed. I work for a bank and am required to have removable backups encrypted by policy. You can encrypt the whole drive or create a folder and mount as a drive. Veeam just uses as a drive. Just tested with my Veeam 7 and all worked as before. Regardless of if the device has its own encryption I encrypt the Veeam data, this way only a Veeam admin can access and no other admin’s. I have not tried some of the new Veeam tools for removable but don’t see any reason they would not work 100 percent. The speed going to a true crypt drives seems as fast as a normal drive (using same hardware) . I ran some tests and see no different in the time jobs run. Local disks on a backup copy job runs about 150 MB/s. I could easily change all backups to be encrypted by creating the repository as a true crypt location.

Steps 1 Create true crypt volume ( I use mostly encrypted file container )
Step 2 Select and mount file container assigning it a drive letter
Step 3 Use drive letter in veeam as normal. I have test as making it a Backup Repository. Then when I select Encrypted-DR-SiteA as my repository I know it it going to an encrypted spot. If a non veeam admin was to take the disk they cannot read any data as it is all encrypted.

Hope this solves your issue.
Fiskepudding
Expert
Posts: 213
Liked: 26 times
Joined: Feb 01, 2012 7:24 am
Full Name: Espen Dykesteen
Contact:

Re: Encrypted Offsite Backup Files

Post by Fiskepudding »

Larry, we also use TrueCrypt on the disks we take offsite.
We Encrypt the disk, copy off the latest full backup to this disk, and yes, it works.
Regardless, I would say it is more convenient to encrypt the archive, and not the entire disk.
And not relay on a third party tool to read the backup file in case you need it down the line.

Don’t get me wrong, TrueCrypt is a great product, to encrypt an entire disk/system or just "General purpose".
But for encrypting a few backup files, I don’t feel it is optimal. So we still hope for some encryption options directly in Veeam :)
larry
Veteran
Posts: 387
Liked: 97 times
Joined: Mar 24, 2010 5:47 pm
Full Name: Larry Walker
Contact:

Re: Encrypted Offsite Backup Files

Post by larry »

We mount the encrypted disk and let the daily backups go to it. So besides the monthly reboot which is when we need to remount the volumes it just works.

If Veeam does add encryption to the backups I need the encryption to be a standard that I can choose. With out using (AES256) or someother standard I would need to prove it is safe. This is why I still use backupexec to send to tape, I need an accepted encryption.
Fiskepudding
Expert
Posts: 213
Liked: 26 times
Joined: Feb 01, 2012 7:24 am
Full Name: Espen Dykesteen
Contact:

Re: Encrypted Offsite Backup Files

Post by Fiskepudding »

If they do it "right", like Anton says, I am sure you can will find an acceptable standard in the options.. if not I too would be disappointed.
natrimac
Influencer
Posts: 16
Liked: 1 time
Joined: May 13, 2013 2:37 pm
Full Name: Will Pulsifer
Contact:

Re: Encrypted Offsite Backup Files

Post by natrimac »

So the lingering issue is for those of us who D2D2D backups and don't backup to removable storage what's the option other than tru crypt or some other FDE path?
Fiskepudding
Expert
Posts: 213
Liked: 26 times
Joined: Feb 01, 2012 7:24 am
Full Name: Espen Dykesteen
Contact:

Re: Encrypted Offsite Backup Files

Post by Fiskepudding »

As of now, you dont have any other options then what you suggest yourself, TrueCrypt or some other FDE solution.
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], sivein and 66 guests