Availability for the Always-On Enterprise
Post Reply
wa15
Expert
Posts: 174
Liked: 18 times
Joined: Jan 02, 2014 4:45 pm
Contact:

Looking at implementing Veeam Encryption - Any gotchas?

Post by wa15 » Jan 11, 2019 11:41 pm

We are looking to enable encryption across the board for local backups and backup copies, which should also carry over to backups to tape. We have Enterprise+ & EM deployed and have enabled password loss protection. We have done some testing and it all seems very straight forward.

Anything else that we need to consider before enabling this? Any "gotchas" that others have encountered?

One question that I have: it is recommended to change the encryption password every so often. Since the new password will only be used on the new backups forward, how does one keep track of the password used for the older backups? Example, if we change the password every quarter, we somehow need to use our own tools to remember the password we used on a backup a year ago, in case we need to restore it?

Thanks in advance!

bdufour
Expert
Posts: 123
Liked: 19 times
Joined: Nov 01, 2017 8:52 pm
Full Name: blake dufour
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by bdufour » Jan 12, 2019 12:32 am

We enabled encryption at rest and in transit (veeam network traffic encryption), been running that for a while. Easy to set up and it just works. Seems to work well too, actually didn’t see much of a performance difference.

Enterprise manager has a lost password protection feature as well. That should help with password maintenance, if an issue were ever to arise around unknown passwords, ect.

wa15
Expert
Posts: 174
Liked: 18 times
Joined: Jan 02, 2014 4:45 pm
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by wa15 » Jan 12, 2019 1:01 am

Thanks. Have you guys tried to change the encryption password every so often? If so, what was the behavior when you tried restoring a backup with the old password?

bdufour
Expert
Posts: 123
Liked: 19 times
Joined: Nov 01, 2017 8:52 pm
Full Name: blake dufour
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by bdufour » Jan 12, 2019 1:20 am

Haven’t really had a need to change them - as no one who has access to backup infrastructure has left the company since implemented. we use different, very long and random, passwords per vm/backup, saved to it’s own encrypted password management database.

Gostev
Veeam Software
Posts: 23333
Liked: 3033 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by Gostev » Jan 12, 2019 1:02 pm

bdufour wrote:
Jan 12, 2019 12:32 am
Seems to work well too, actually didn’t see much of a performance difference.
This is because modern processors support hardware acceleration for the AES encryption algorithm that we're using.

bdufour
Expert
Posts: 123
Liked: 19 times
Joined: Nov 01, 2017 8:52 pm
Full Name: blake dufour
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by bdufour » Jan 12, 2019 8:52 pm 1 person likes this post

Gostev,

Good to know, as we all know - typically encryption will add noticeable overhead, we were concerned about this for our replication traffic over mpls to the dr site. We were quite impressed and happy to find we didn’t encounter this. I’ve encouraged many of my admin friends that run veeam (most are) to consider in transit encryption, as well as backup file encryption.

wa15
Expert
Posts: 174
Liked: 18 times
Joined: Jan 02, 2014 4:45 pm
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by wa15 » Jan 14, 2019 6:20 pm

Thanks for the input everyone! One more question I hope to have some feedback on:

It's recommended to change the encryption password every so often. Since the new password will only be used on the new backups forward, how does one keep track of the password used for the older backups? Example, if we change the password every quarter, we somehow need to use our own tools to remember the password we used on a backup a year ago, in case we need to restore it?

Gostev
Veeam Software
Posts: 23333
Liked: 3033 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by Gostev » Jan 14, 2019 7:55 pm

Yes. However, keep in mind that Veeam will not ask you for a password if you're restoring from the same server that created the backup. It is only if you lost this server and/or are attempting to import [stolen] backup file into another server, when you need to provide the password.

You should also consider enabling password loss protection, see our User Guide (you can back those Enterprise Manager private keys up, if you decide to change them periodically as well).

wa15
Expert
Posts: 174
Liked: 18 times
Joined: Jan 02, 2014 4:45 pm
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by wa15 » Jan 14, 2019 10:03 pm

Got it, thank you @Gostev as usual!

wa15
Expert
Posts: 174
Liked: 18 times
Joined: Jan 02, 2014 4:45 pm
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by wa15 » Jan 15, 2019 1:10 am

Sorry, one more question: does the Veeam B&R configuration backup also backup the key set generated on the Enterprise Manager? Or do those need to be backed up manually each time?

Mike Resseler
Veeam Software
Posts: 5113
Liked: 542 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by Mike Resseler » Jan 15, 2019 6:24 am

Hi wa15,
The configuration backup does not hold that key set so you will need to export it manually. The process is described here: https://helpcenter.veeam.com/docs/backu ... tml?ver=95

Hope it helps
Mike

billcouper
Service Provider
Posts: 59
Liked: 13 times
Joined: Dec 18, 2017 8:58 am
Full Name: Bill Couper
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by billcouper » Jan 16, 2019 1:35 am

What will happen to per-VM chains when encryption is enabled?
I am using ReFS extents, will the existing per-vm chains be maintained and block-cloning continue to work?

Gostev
Veeam Software
Posts: 23333
Liked: 3033 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Looking at implementing Veeam Encryption - Any gotchas?

Post by Gostev » Jan 16, 2019 3:57 am

Encryption will not be enabled until the next full backup, which will create all new blocks with encrypted content - so you will see your disk space usage increase. From that point on, block cloning will be working again, now cloning those newly created encrypted blocks.

Post Reply

Who is online

Users browsing this forum: anthonyspiteri79, Google [Bot] and 17 guests