Rotating the Veeam encryption key

[kaboomza]

Hi guys, as per company policy we have to rotate the veeam encryption keys periodically, and I have done so by creating a new key and changing it on each job that was running encryption.

My question is, is there a way for me to validate that we are actually using the new key? my understanding was that changing the encryption key will prompt a new active full backup however looking at the logs I don't see the jobs running a new active full, they just continue with the incremental as per normal?

Thanks in advance

[Mildur]

Changing the encryption key on an already encrypted backup will not start an active full backup.
Only the new incremental and full backups are encrypted with the new key.
If you want to use only the new key, you need to start an active full backup. I'm not sure if a synthetic full is enough.

https://helpcenter.veeam.com/docs/backu ... ml?ver=110

If you change the password for the already encrypted job, during the next job session Veeam Backup & Replication will create a new incremental backup file. The created backup file and subsequent backup files in the backup chain will be encrypted with the new password.
______________________________

To unlock a backup encrypted with several passwords, you must decrypt it in the following manner:

- If you import a metadata file (VBM), provide the latest password that was used to encrypt files in the backup chain.
- If you import a full backup file (VBK), provide the whole set of passwords that were used to encrypt files in the backup chain.
For more information, see Decrypting Data with Password.

[kaboomza]

Thanks for the feedback, I am assuming also based on retention, once the older incremental get replaced with the new ones, the old encryption key will technically be phased out as the entire chain gets replaced correct?

[Mildur]

the old encryption key will technically be phased out as the entire chain gets replaced correct?

I could imagine it that way, but I don't know it for sure.
If you use Fast Clone, then the "same productive data" in the old encrypted blocks on the disk are not the same as the new backup blocks with the new encrypted key. There is a possibility that FAST Clone will not be used for the first synthetic full if you change the encryption key. But I don't have tested it. It's only my thinking that it could be that way. If Veeam would use FAST Clone again after changing the key, then the old Encryption Key would be needed to get the backup data out of the old blocks.

[kaboomza]

Appreciate the feedback Mildur, lets see if Veeam can confirm the statement above here.