Comprehensive data protection for all workloads
Post Reply
crazzyeddie
Enthusiast
Posts: 29
Liked: 4 times
Joined: Nov 11, 2014 9:01 pm
Full Name: Will
Contact:

Encryption Options

Post by crazzyeddie »

I had some questions about implementing encryption into my backup jobs. I'd like to encrypt my backup jobs locally and at my DR. After reading the v8 manual, it appears as though this will be more difficult than I thought. Let me first describe my setup:
[*]Veeam Enterprise (not Plus)
[*]Local backup server with 40TB DAS
[*]DR Site with SAN, connected via a 200mbps dedicated connection with WAN accelerator already installed.

Encrypting the data for the local disks is no problem, so let's just assume I've already set that up.

If using a backup job without encryption specified, Veeam will unencrypt the data before sending it to my DR site. My WAN accelerator will still be able to dedupe the data, and the IPsec tunnel will ensure safe passage. However, on the other end, the data will remain unencrypted at rest.

If using a backup job with encryption specified, Veeam will unencrypt the data before sending it to my DR site. It will then re-encrypt the data before flight. My WAN accelerator will not be able to dedupe the data, and the IPsec tunnel would be redundant. On the other end, the data will be encrypted at rest.

What I'd like is a setup similar to how Veeam handles transmitting data via the build-in WAN accelerator:
3. Data blocks are passed to the target backup repository in the unencrypted format.
4. Received data blocks are encrypted on the target site and stored to a resulting backup file on
the target backup repository.
Is there any way for me to achieve this setup? Basically, I just want Veeam to encrypt my data at the target repository instead of at the source. There must be many others with WAN accelerators already in place that would also like to use the new encryption functionality in v8.
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Encryption Options

Post by Gostev »

Hi, Will. Let me confirm one thing, and I will get back to you.
crazzyeddie
Enthusiast
Posts: 29
Liked: 4 times
Joined: Nov 11, 2014 9:01 pm
Full Name: Will
Contact:

Re: Encryption Options

Post by crazzyeddie »

For clarification, when I say "backup job" with/without encryption, I meant Backup Copy job. Sorry for that oversight, and thanks for looking into it.
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Encryption Options

Post by Gostev »

Hi, Will. I've confirmed that unfortunately, it is impossible to achieve this setup. This is caused by the fact that Backup Copy jobs without WAN acceleration encrypt backup data at source, before it is transferred over the network to the target repository.

So, my recommendation would be to use built-in WAN acceleration instead (and configure bypass for this traffic in your existing WAN accelerator). Not only you will achieve better results in terms of data reduction ratio, but you will also free up cache of your existing WAN accelerator from B&R data, thus improving acceleration of other workloads. Win-win situation!

Thanks.
crazzyeddie
Enthusiast
Posts: 29
Liked: 4 times
Joined: Nov 11, 2014 9:01 pm
Full Name: Will
Contact:

Re: Encryption Options

Post by crazzyeddie »

Thanks for looking into this, Anton.

I guess this is turning into a feature request, then. It would be really nice if we had the choice of whether to re-encrypt data at the source or target repository. Since this logic basically already exists for the built-in WAN accelerator, I would hope it would be a reasonable request.

Although your solution of using the built-in WAN accelerator with a bypass for our existing system would definitely work, our WAN accelerator is already in place, therefore the business case doesn't exist for us to pay the extra $700 per socket for functionality that we already own. Veeam has been very good at being flexible with configurations in the past, so I hope this doesn't turn into a "forced upgrade" sort of situation.

Thanks again.
Post Reply

Who is online

Users browsing this forum: No registered users and 269 guests