Understanding Backup Encryption

[dloseke]

Okay, I had a client raise a question on backup encryption, and I wanted to make sure I understood this before I answer their questions.

Client is encrypting, or is looking to encrypt their backup data. I don't recall of the repository is encrypted or if the jobs are encrypted or none. What I know is, that if encryption is not currently enabled and encryption is turned on at the repo or the job, the next job running will be a full to start a new backup chain and the data will be encrypted.

What I'm trying to understand is if a backup is already encrypted, and the encryption password is changed, the next backup will be incremental as scheduled and will use the new encryption password, but the previous user keys are still stored in the configuration database and all backups going forward will use the new user key? One of the things I don't think I fully understand is how if you import a backup metadata file, it is able to decrypt all of the backups in the chain....does the metadata file contain encrypted session keys or something like that? In that case, I'm assuming that data is in both the metadata AND the configuration database?

I've read the Encryption Best Practices, How Encryption Works and How Decryption works articles several times and I think I understand it, but wanted to make sure. Thanks for your help.

[HannesK]

Hello,
I'm focusing on the key question, whether you are able do decrypt all backups of a chain, if multiple passwords were used. The answer is "yes". You will have to provide all passwords then.

The configuration database is irrelevant. Imagine backup files like multiple zip files, each having it's own password.

Best regards,
Hannes

[dloseke]

Not really sure this answers my question though. My understanding is that if you import the metadata (VBM) file, you only need to provide the most recent encryption password (and multiple passwords if you import the VBK's), but I seek to understand they mechanics behind it, and really the question I need to ensure that I have the correct answer to is if the encryption password is changed, this does NOT start a new backup chain and create new fulls, correct?

[chris.childerhose]

Changing the password should not affect the chain and run a full backup that I am aware of it just continues on. Based on this page - https://helpcenter.veeam.com/docs/backu ... ml?ver=110 - this indicates the encryption of files but nothing about fulls when changed.

[veremin]

is if the encryption password is changed, this does NOT start a new backup chain and create new fulls, correct?

No, it does not:

If you change the password for the already encrypted job, during the next job session Veeam Backup & Replication will create a new incremental backup file. The created backup file and subsequent backup files in the backup chain will be encrypted with the new password.

Thanks!