encryption key rotation

[AlexL]

I'm trying to understand what happens, or needs to happen, when I change the encryption key for an existing installation with VB365.

Assuming I have an installation that's been doing daily backups for many months (snapshot based, retention 1 year), to object storage, and has encryption enabled on the repo.
Now I change the encryption key, then what?

In VBR I believe a new full needs to run, but how does this work with VB365?

And assume I do change the encryption key, and after lets say a month I need to restore something from 3 months ago, do I need the 1e key, the 2e key, or both?

Any clarification on this matter would be greatly appreciated.

[Mildur]

Hi Alex

Only the most recent encryption password is required to access all restore points.
Let me check with our user guide team if we can provide more detailed documentation for our VB365 encryption/decryption behavior.

In VBR I believe a new full needs to run, but how does this work with VB365?

VB365 will continue with incremental backup after you have changed the encryption key.
VBR doesn't require an active full after you change the encryption key. New backup files will be encrypted by the new encryption key. While existing backup file will stay encrypted with the previous key.

Active full in VBR is only required if you enable encryption on an existing job.


Best,
Fabian

[AlexL]

Ah check, of course, for vbr only after enabling.
But, trying to fully understand your words, you say "continue with synthetic full backup", does this mean that "extra" processing (in time) is required for the next daily backup or is it just business as usual, same runtime for the daily but somehow the entire chain is restorable with only the new encryption key?

[Mildur]

I apologize. My head is messed up this morning (not enough coffee yet).
I meant incremental. VB365 will continue with an incremental backup after you change the encryption key

Best,
Fabian