Encryption password change

[andymarson]

I am writing the processes for our operational team and would like some clarification on encryption passwords.

We are encrypting our backup copy job for offsite backup and want to understand the key management for the backup chain.

As an example if a new backup copy job running daily with 7 retention points and 4 weekly GFS archives. If the job was setup with encryption key "secretsquirrel000" and ran for 10 days hence there would be 1 full backup + 6 incrementals + 1 weekly GFS in the remote Repo. These 17 backup files would be encrypted with this password. If we then changed the encryption key on the backup copy job to "doubleq111" and left to run and the subsequent incremental backups would be encrypted with the new key as would the weekly fulls.

My question is after a further couple of weeks the when incremental backups have been back filled into the base VBK, is all of our data except for the 1 weekly GFS backup encrypted with the new "doubleq111" password?

Thanks in advance,

Andy

[veremin]

Applying new encryption password will require new active full backup. Once it's created, previous increments (ones encrypted with old password) won't be merged into previous base full backup, instead they will sit and wait, till retention policy removes them along with the previous full backup. Thanks!

[Ananduascdlm]

What if the same Encryption Key password is updated to a new password. Will that trigger Full backup for all jobs , where this encryption key was being used

[Mildur]

No, we will continue the chain with incremental backups.

Please see the explanation in our help center:

If you update encryption settings for an existing backup job, consider the following:
- If you enable encryption, during the next job session Veeam Backup & Replication will automatically create a full backup file. The created full backup file and subsequent incremental backup files in the backup chain will be encrypted with the specified password or KMS key.

- If you change the password or start using KMS keys for the already encrypted job, during the next job session Veeam Backup & Replication will create a new incremental backup file. The created backup file and subsequent backup files in the backup chain will be encrypted with the new password or KMS key.

- If you disable encryption, during the next job session Veeam Backup & Replication will automatically create a full backup file.

Make sure to keep the old encryption password in a safe place. You will need it, if you import backups without the VBM file to a new backup server.

If the password has changed several times or you have changed the encryption method to KMS keys, you need to specify them in the following manner:
- If you select a metadata file (VBM) for import, you must specify the latest KMS key or passwords that was used to encrypt data encryption keys.

- If you select a full backup file (VBK) for import, you must specify the whole set of KMS keys and passwords that were used to encrypt data encryption keys.

Best,
Fabian