Comprehensive data protection for all workloads
natrimac
Influencer
Posts: 16
Liked: 1 time
Joined: May 13, 2013 2:37 pm
Full Name: Will Pulsifer
Contact:

Re: Encrypted Offsite Backup Files

Post by natrimac »

ended up turning on Bitlocker on the data drives of the veeam targets. Not great, but better than nothing.

averylarry
Expert
Posts: 264
Liked: 30 times
Joined: Mar 22, 2011 7:43 pm
Full Name: Ted
Contact:

Re: Encrypted Offsite Backup Files

Post by averylarry »

We use an inline SATA encryption card with a removable hard drive caddy/tray system. Addonics CypherChain. It's nice because there's no mounting of encrypted volumes etc. and you buy 1 thing that works for many hard drives. We bought 2 with the same keys -- one for the main site and one for the offsite location. You do have to do a full power off to change the hard drives, though. There are also encrypted external enclosures but they tend to cost more (you realistically need to buy one for each hard drive). Also -- self encrypting hard drives . . ?

It's getting easier to do the encryption yourself at the hardware level instead of software . . .

dellock6
Veeam Software
Posts: 5951
Liked: 1773 times
Joined: Jul 26, 2009 3:39 pm
Full Name: Luca Dell'Oca
Location: Varese, Italy
Contact:

Re: Encrypted Offsite Backup Files

Post by dellock6 »

SED disks are a really interesting solution if you own the offsite hardware too, disks are "signed" with the actual hardware and is not possible to connect them in other systems. Also, cypher at the hardware level means no cpu overhead on the storage using them.
Obviously, a software solution is needed if you are using an external service and you do not own the hardware. There are some new solutions coming out, but are mainly targeted at service providers, so at least it's up to them to use them and offer them to customers.

Luca.
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software

@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2020
Veeam VMCE #1

jgutz20
Lurker
Posts: 1
Liked: never
Joined: Dec 10, 2013 9:18 pm
Full Name: Justin Gutzman
Contact:

[MERGED] Backups + Encryption

Post by jgutz20 »

Hey,

Simple question but i cant seem to find an answer on the veeam site

I have dedicated IBM ISCSI enclosures all with Self Encrypted Drives, These drives are very limited in size and expensive but necessary because of PHI being stored there. I rolled out veeam about 45 days ago and just to get backup points started i used this IBM Storage and i need to get other solutions for storing backups going forward. My question is this: Are the backup files themselves encrypted or can i encrypt these backups to store on unencrypted drives securely? For example, another NAS device utilizing larger unencrypted Drives

Thank You

foggy
Veeam Software
Posts: 19676
Liked: 1810 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Encrypted Offsite Backup Files

Post by foggy »

Justin, currently there's no built-in backup encryption mechanism within Veeam B&R backup jobs, however, we are planning to add it in the future releases. Please review the thread above for details.

bib_ak
Enthusiast
Posts: 33
Liked: 1 time
Joined: Jan 31, 2010 12:57 pm
Contact:

Re: Encrypted Offsite Backup Files

Post by bib_ak »

+1 for adding encryption! :)

m.novelli
Veeam ProPartner
Posts: 366
Liked: 43 times
Joined: Dec 29, 2009 12:48 pm
Full Name: Marco Novelli
Location: Asti - Italy
Contact:

Re: Encrypted Offsite Backup Files

Post by m.novelli »

+1 for native encryption!

Marco

Gostev
SVP, Product Management
Posts: 27160
Liked: 4454 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Encrypted Offsite Backup Files

Post by Gostev » 5 people like this post

Hi all, by now we have received enough requests to justify adding native encryption (as you can see, this thread alone got pretty long), so you can expect this feature added to the product sooner rather than later. Thank you all for your feedback!

Fiskepudding
Expert
Posts: 213
Liked: 26 times
Joined: Feb 01, 2012 7:24 am
Full Name: Espen Dykesteen
Contact:

Re: Encrypted Offsite Backup Files

Post by Fiskepudding »

That is great news! :mrgreen:

And thanks for the heads up Anton.
We were actually looking for an affordable SED solution, but now we can continue with TrueCrypt until Veeam implement encryption.

JRH
Novice
Posts: 5
Liked: never
Joined: Jan 03, 2014 9:05 pm
Full Name: James
Contact:

Re: Encrypted Offsite Backup Files

Post by JRH »

Hi,

Will any upcoming encryption also allow for tapes to be encrypted?

Thanks,
James

y1008946
Enthusiast
Posts: 93
Liked: never
Joined: Sep 23, 2013 3:56 pm
Contact:

Re: Encrypted Offsite Backup Files

Post by y1008946 »

Hi, we have been looking into ways we can encrypt our offsite backups, which are stored on the drive of a ESXI 5.5 host.

From my basic understanding, using Veeam the only way at the moment is to encrypt a drive, and then store the backups on that drive?

I have read in the forums is that TrueCrypt seems to be the most popular choice. If we encrypt a drive using TrueCrypt, will we have any problems restoring data from the Veeam backups? Or issues with storage space?

I've seen that quite a few people use Bitlocker but it doesnt seem to be recommended by vmware.

Another option I think we could use is Symantecs File Share Encryption. (we already use the symantec server for email excryption). Has anybody used this?

To do the above is going to take time and money. Should we do the above, or are encrypted Veeam backup jobs something which are just around the corner? (I understand to tape is, but I am meaning backup copy jobs)

I noticed that it was a couple of years ago it was mentioned about being on the roadmap. Is this something that you will be actively developing over the coming months, or something we may have to wait a long time for?

I think it would be a great feature which would benefit many companies.

Thanks v much

Gostev
SVP, Product Management
Posts: 27160
Liked: 4454 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Encrypted Offsite Backup Files

Post by Gostev »

JRH wrote:Will any upcoming encryption also allow for tapes to be encrypted?
We never comment on the specifics until close to the actual release (when we know for sure what is going to make it into the corresponding release, and what does not). Otherwise we may end up promising something that we will not deliver.

Fiskepudding
Expert
Posts: 213
Liked: 26 times
Joined: Feb 01, 2012 7:24 am
Full Name: Espen Dykesteen
Contact:

Re: Encrypted Offsite Backup Files

Post by Fiskepudding »

danieldunn10 wrote: I have read in the forums is that TrueCrypt seems to be the most popular choice. If we encrypt a drive using TrueCrypt, will we have any problems restoring data from the Veeam backups? Or issues with storage space?
We use TrueCrypt on offsite disks only, not on the repository (local). From our testing, TrueCrypt has never been an issue when doing restore. We have tested that all of our offsite backup archives are readable by Veeam.(close to 400)
danieldunn10 wrote: To do the above is going to take time and money. Should we do the above, or are encrypted Veeam backup jobs something which are just around the corner? (I understand to tape is, but I am meaning backup copy jobs)
As Anton points out, Veeam never stated on witch media they would add encryption to. Since this discussion has been around for a long time, before they added support for tape, I always assumed they were talking about adding it directly in the backup job. I see that Anton don’t want to reveal anything around this, so I guess we just have to wait and see when they release some official info.

y1008946
Enthusiast
Posts: 93
Liked: never
Joined: Sep 23, 2013 3:56 pm
Contact:

Re: Encrypted Offsite Backup Files

Post by y1008946 »

Thanks for your reply.

Did you use system encryption or did you use the encrypted partition option?

Are there any settings I should change in the backup copy jobs?

Thanks

Fiskepudding
Expert
Posts: 213
Liked: 26 times
Joined: Feb 01, 2012 7:24 am
Full Name: Espen Dykesteen
Contact:

Re: Encrypted Offsite Backup Files

Post by Fiskepudding »

I don’t see the need to change any settings in the backup job. However, we don’t use a “Veeam Copy job” to copy the backups to external media. Depending on your compression settings in your backup job, you might want change that, if you want to save time and space in the copy job/external media.

Here is what we do;
We have a dedicated physical machine witch has TrueCrypt installed.
We then connect disks to an USB docking, Encrypt the Partition (currently with "Just" AES with RIPEMD-160 hash, and a good long password, we don’t use keyfiles)
Then robocopy full Veeam backups from original repository to the encrypted partition.

Off cause when it comes to the security/encryption options, requirements will vary from company to company, and the nature of the content.
TrueCrypt supports many Encryption Algorithms, and also combined.
So if you want it super secure… select "AES-Twofish-Serpent" and Whirlpool for hash. And throw in some keyfiles as well.. This would probably be overkill, even for NSA.

Regardless of encryption and hash selected, a long and complex password is the most important part. And off cause it should be kept away from the encrypted disks :!:

y1008946
Enthusiast
Posts: 93
Liked: never
Joined: Sep 23, 2013 3:56 pm
Contact:

Re: Encrypted Offsite Backup Files

Post by y1008946 »

Thanks for your detailed reply its very helpful.

We use the backup copy jobs as it helps reduce the amount of data we need to send over the WAN. As I understand it, it shouldn't be a problem for us to use the backup copy jobs to send the backups to an encrypted partition should it?

Out of interest why do you use robocopy instead of the backup copy jobs? Is it because it is quicker for you with your setup?

Offsite we have an esxi host, with a VM which we use for the repository. Is it a case of just encrypting the volume that those backups are stored on?

Thank you

Fiskepudding
Expert
Posts: 213
Liked: 26 times
Joined: Feb 01, 2012 7:24 am
Full Name: Espen Dykesteen
Contact:

Re: Encrypted Offsite Backup Files

Post by Fiskepudding »

Glad I could help.
We have 2 different sets of repositories for Veeam backups.

1 set where we do full and incremental. (With some active fulls)
Another set where we only have full backups, once a week.

So this way we have two different local storages for full backups. Paranoid, maybe :roll:

Since we manually mount the disks to the USB docking it made sense to just copy off the latest full backup from the second storage.
This was put in place before “veeam backup copy job” existed, so, the short answer for your question, no good reason for not using it…
But current solution works fine, and since the backup is to local USB device no WAN Acceleration is needed. Copy job to remote site is on our wanted list, but currently too expensive.

y1008946
Enthusiast
Posts: 93
Liked: never
Joined: Sep 23, 2013 3:56 pm
Contact:

Re: Encrypted Offsite Backup Files

Post by y1008946 »

Hi, if we encrypt the drive which the backups are stored on. Will Instant VM and surebackup still run without any problems?

Thanks

Fiskepudding
Expert
Posts: 213
Liked: 26 times
Joined: Feb 01, 2012 7:24 am
Full Name: Espen Dykesteen
Contact:

Re: Encrypted Offsite Backup Files

Post by Fiskepudding »

Yes they should. However, depending on your encryption solution, performance might be affected.

We don’t encrypt the drive we directly back up to. But we encrypt the disks we take offsite.
When they are mounted (with truecrypt), and backups are imported/"linked" to Veeam we can do instant VM restore from them.
If your repository already is encrypted, all the above should be in place.
Have not tried surebackup on them. But an encrypted disk is presented as a normal disk to everything that tries to access it. (as long as it mounted/not locked offcause). In other words Veeam don’t know that it is encrypted.

Fiskepudding
Expert
Posts: 213
Liked: 26 times
Joined: Feb 01, 2012 7:24 am
Full Name: Espen Dykesteen
Contact:

Re: Encrypted Offsite Backup Files

Post by Fiskepudding » 2 people like this post

y1008946, I did a little test for you :)

Pointed a new repository to a TrueCrypt location, and did a new backup to it, tested both InstantRecovery and SureBackup, both worked fine.

y1008946
Enthusiast
Posts: 93
Liked: never
Joined: Sep 23, 2013 3:56 pm
Contact:

Re: Encrypted Offsite Backup Files

Post by y1008946 »

Thanks for testing that out!

Homes32
Enthusiast
Posts: 31
Liked: 15 times
Joined: Oct 29, 2013 6:35 pm
Full Name: Jonathan Holmgren
Contact:

Re: Encrypted Offsite Backup Files

Post by Homes32 » 2 people like this post

Gostev wrote:Hi all, by now we have received enough requests to justify adding native encryption (as you can see, this thread alone got pretty long), so you can expect this feature added to the product sooner rather than later. Thank you all for your feedback!
Just wanted to say thank you for this update. I work for a financial institution and this has been an ongoing concern for us as we use an external RDX drive as a secondary storage backup (in addition to replication) for critical vm's. Auditors and examiners never come and go without asking us if our RDX backups taken off site are encrypted. Thanks for staying focused on what your customers need.

cgt
Novice
Posts: 4
Liked: never
Joined: Jan 27, 2014 11:21 am
Full Name: Carlos González
Contact:

[MERGED] : how to encrypt a Backup Job

Post by cgt »

Hi everybody,

Sorry for this question, maybe it is an easy proccess but I don't find (and I'm not sure at all if it is possible..) how to configure Veeam 7 to encrypt a backup job in a external HDD when it finished.

Can somebody help me please?

Thanks a lot in advance.

veremin
Product Manager
Posts: 18002
Liked: 1714 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Encrypted Offsite Backup Files

Post by veremin »

Hi, Carlos,

Your post has been merged into existing discussion regarding similar matter. Kindly, see the answers provided above for more information about the way our customers encrypt their backup files.

Thanks.

CTS-Tech
Influencer
Posts: 20
Liked: never
Joined: Nov 09, 2011 7:18 pm
Contact:

[MERGED] Encryption Solution

Post by CTS-Tech »

I understand that Veeam is not currently capable of encrypting backups. Are there plans to add this feature? We need this for HIPAA compliance.

Also, what are others doing to implement encryption with Veeam backups (assuming no hardware encryption)?

Thanks

Vitaliy S.
Product Manager
Posts: 24446
Liked: 1930 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Encrypted Offsite Backup Files

Post by Vitaliy S. »

Please see Anton's reply to both your questions:
Gostev wrote:Currently, we only provide backup encryption in the Cloud Edition of our product (essentially, you can apply encryption to backups that are copied by Veeam Cloud Backup on-site or to the cloud). We are also working on integrating encryption right into the backup jobs.

mmartin19
Novice
Posts: 3
Liked: never
Joined: Mar 04, 2014 6:54 pm
Contact:

Re: Encrypted Offsite Backup Files

Post by mmartin19 »

+1 for encryption built into backup jobs, the financial industry makes this a requirement and I was disappointed to find out after going with Veeam that this wasn't a feature.

veremin
Product Manager
Posts: 18002
Liked: 1714 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Encrypted Offsite Backup Files

Post by veremin »

As mentioned above, we're currently working on implementing this feature. According to the plan, this feature will be included in one of the next product releases. Thanks.

mmartin19
Novice
Posts: 3
Liked: never
Joined: Mar 04, 2014 6:54 pm
Contact:

Re: Encrypted Offsite Backup Files

Post by mmartin19 »

Is there any kind of time frame yet for this feature to be added into a release? I'm just trying to figure out a workaround right now until this feature becomes available.

Gostev
SVP, Product Management
Posts: 27160
Liked: 4454 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Encrypted Offsite Backup Files

Post by Gostev »

It's not going to be released in the next couple of months, if this is what you are asking. So if you have to have the encryption now, you need to implement some workaround. Thanks!

Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], moralev21 and 45 guests