Looking at implementing Veeam Encryption - Any gotchas?

[wa15]

We are looking to enable encryption across the board for local backups and backup copies, which should also carry over to backups to tape. We have Enterprise+ & EM deployed and have enabled password loss protection. We have done some testing and it all seems very straight forward.

Anything else that we need to consider before enabling this? Any "gotchas" that others have encountered?

One question that I have: it is recommended to change the encryption password every so often. Since the new password will only be used on the new backups forward, how does one keep track of the password used for the older backups? Example, if we change the password every quarter, we somehow need to use our own tools to remember the password we used on a backup a year ago, in case we need to restore it?

Thanks in advance!

[bdufour]

We enabled encryption at rest and in transit (veeam network traffic encryption), been running that for a while. Easy to set up and it just works. Seems to work well too, actually didn’t see much of a performance difference.

Enterprise manager has a lost password protection feature as well. That should help with password maintenance, if an issue were ever to arise around unknown passwords, ect.

[wa15]

Thanks. Have you guys tried to change the encryption password every so often? If so, what was the behavior when you tried restoring a backup with the old password?

[bdufour]

Haven’t really had a need to change them - as no one who has access to backup infrastructure has left the company since implemented. we use different, very long and random, passwords per vm/backup, saved to it’s own encrypted password management database.

[Gostev]

Seems to work well too, actually didn’t see much of a performance difference.

This is because modern processors support hardware acceleration for the AES encryption algorithm that we're using.

[bdufour]

Gostev,

Good to know, as we all know - typically encryption will add noticeable overhead, we were concerned about this for our replication traffic over mpls to the dr site. We were quite impressed and happy to find we didn’t encounter this. I’ve encouraged many of my admin friends that run veeam (most are) to consider in transit encryption, as well as backup file encryption.

[wa15]

Thanks for the input everyone! One more question I hope to have some feedback on:

It's recommended to change the encryption password every so often. Since the new password will only be used on the new backups forward, how does one keep track of the password used for the older backups? Example, if we change the password every quarter, we somehow need to use our own tools to remember the password we used on a backup a year ago, in case we need to restore it?

[Gostev]

Yes. However, keep in mind that Veeam will not ask you for a password if you're restoring from the same server that created the backup. It is only if you lost this server and/or are attempting to import [stolen] backup file into another server, when you need to provide the password.

You should also consider enabling password loss protection, see our User Guide (you can back those Enterprise Manager private keys up, if you decide to change them periodically as well).

[wa15]

Got it, thank you @Gostev as usual!

[wa15]

Sorry, one more question: does the Veeam B&R configuration backup also backup the key set generated on the Enterprise Manager? Or do those need to be backed up manually each time?

[Mike Resseler]

Hi wa15,
The configuration backup does not hold that key set so you will need to export it manually. The process is described here: https://helpcenter.veeam.com/docs/backu ... tml?ver=95

Hope it helps
Mike

[billcouper]

What will happen to per-VM chains when encryption is enabled?
I am using ReFS extents, will the existing per-vm chains be maintained and block-cloning continue to work?

[Gostev]

Encryption will not be enabled until the next full backup, which will create all new blocks with encrypted content - so you will see your disk space usage increase. From that point on, block cloning will be working again, now cloning those newly created encrypted blocks.

[jim3cantos]

Here also trying to implement encryption in our current configuration (9.5U4b). Up to now every path investigated seems to lead to a dead end when using the dummy job workaround if we want to keep backups encrypted at DR site too. So, as we also want to keep the posibility to run Datalabs at DR site, it seems to me that the only option is to "move" the backup server to DR site and "consolidate" with the one already there that currently is only responsible for replication from backup + surereplica (Datalab). Am I correct?

[veremin]

Correct, in this case it's recommended to make one backup server responsible for both backup (replication) and SureBackup jobs. Thanks!

[jim3cantos]

Here also trying to implement encryption in our current configuration (9.5U4b). Up to now every path investigated seems to lead to a dead end when using the dummy job workaround if we want to keep backups encrypted at DR site too. So, as we also want to keep the posibility to run Datalabs at DR site, it seems to me that the only option is to "move" the backup server to DR site and "consolidate" with the one already there that currently is only responsible for replication from backup + surereplica (Datalab). Am I correct?

It turns out that there is no incompatibility between the "dummy job" approach and encryption at DR site. You just specify once the encryption key for the "shared" repository and Veeam diligently stores it and doesn't ask for it anymore. So at the end may be the dummy (backup copy) job is going to outlive another Veeam release