Feature Request: Opportunistic network encryption

[matban]

Hi,

in our company it is required to encrypt all backup traffic. Currently we do this by adding all backup proxies and targets to the "Global Network Traffic Rules" list and checking the box "Encrypt all network traffic". As this can be error prone, we currently address this via the PowerShell automation outlined here.

As the global trend of network communication is evolving to be secure by default (see VMware's opportunistic vMotion encryption for example), I would like to see a configurable option to be able set opportunistic encryption between Veeam components.

Cheers,

Matthäus

[foggy]

Hi Matthäus, do you mean a single setting that will enable encryption between all the components?

[matban]

Hi,

correct. Just a checkbox or dropdown which changes the behavior from "unencrypted by default" to "encrypted by default".

[foggy]

Understood. Thanks for the suggestion.

[Gostev]

Just found this thread while looking for something else. You can use ForceAgentTrafficEncryption registry value to have Veeam encrypt all of its network connections.

[signal]

... You can use ForceAgentTrafficEncryption registry value to have Veeam encrypt all of its network connections.

Can you elaborate on what this setting does?
Does it include all command and control traffic between console, backup server, guest interaction proxy, FLR appliance, backup repository, backup proxy and guest?
Any further documentation and/or clarification is welcome.

[Gostev]

This should be set on the backup server, and it goes into the same/single registry hive where all other registry values we have go. This setting is for data mover to data mover communication only (for the actual payload transfers), as the rest of communications are always encrypted.

Do expect the performance to drop somewhat after you enable this option. Because we had lots of complaints about this after we introduced the traffic encryption option, because we decided to enable one by default as soon as we see a public IP address - and apparently, quite a few users use public IP addresses in their private networks so they all complained about lower performance after upgrade to the corresponding B&R version until we figured out what is going on and gave them a registry value to disable this.

[signal]

This should be set on the backup server, and it goes into the same/single registry hive where all other registry values we have go. This setting is for data mover to data mover communication only (for the actual payload transfers), as the rest of communications are always encrypted.

That last part, "as the rest of communication is always encrypted", makes me curious. This conflicts with other information I have seen.
Is all "command and control" encrypted? If so, what kind of encryption? How can security of this communication be controlled?

[foggy]

Built-in RPC or .NET encryption (SSPI) is used between the rest of Veeam B&R components.

[signal]

I'm not sure if this answer satisfies my query.
The console is part of the components? This thread gives a different answer regarding encryption of console traffic.

Where is the RPC or .NET encryption used? Between which components?
What kind of encryption algorithm is used?

[foggy]

Being Windows clients, backup server and console (if installed separately) negotiate over RPC, which provides SSPI API for secure communications (Kerberos and NTLM).