What is encryption?
One of the most powerful tools in your arsenal to protect your data is encryption. Data encryption uses cryptographic algorithms and a secret key to transform data into an unreadable and scrambled format. This ensures that even if encrypted data is intercepted and stolen, it cannot be deciphered or understood by unauthorized individuals. Only those who possess the secret key can decrypt and reverse the encryption, making the information readable again. Encryption provides a secure way to protect sensitive data and maintain confidentiality.
Encryption vs Performance
Encryption almost certainly will have an impact on performance, as it involves additional computational overhead to process and transform data into an encrypted format, similarly, there is a performance cost for decrypting the data in a restore scenario. The performance impact of encryption depends on several factors.
| Encryption Algorithm | The choice of encryption algorithm can influence performance. Some algorithms, like AES (Advanced Encryption Standard), are computationally efficient and have less impact on performance. Stronger encryption algorithms may require more processing power, potentially impacting the speed of data transfer or backup operations. |
| Hardware Acceleration | Many modern processors include specialized instructions or hardware modules that accelerate encryption operations, known as AES-NI (AES New Instructions). If the hardware supports these instructions, it can significantly reduce the performance impact of encryption. |
| Network Speed and Bandwidth | The impact of encryption on performance may be more noticeable in scenarios with high network speed and bandwidth requirements. Encrypting large amounts of data over a network can consume additional CPU resources and slightly slow down the transfer speed. However, the impact might be minimal in typical network environments. |
| Encryption Key Management | The overhead associated with encryption key management can also impact performance. Generating, storing, and securing encryption keys adds some complexity and computational effort, but this impact is typically negligible compared to the actual encryption and decryption operations. |
Data at Rest Encryption
Encrypting data at rest is essentially ensuring that data contained within a repository can only be decrypted by those authorized to do so.
The encryption ensures that even if a bad actor copies the data, it cannot be unlocked and read. Encrypted information can only be deciphered and returned to a readable format by intended recipients who possess the secret key.
Veeam Backup & Replication employs encryption at the following levels:
- Backup job
- Transaction log backup job
- Backup copy job
- VeeamZIP
- Tapes in media pools
- Capacity tier
- Archive tier
Encryption involves these steps:
- During job creation, you can enable the encryption option and enter a password to secure data specifically associated with that job.
-
The user key in Veeam Backup & Replication is created using the password entered by the user.
-
When initiating an encrypted job, Veeam Backup & Replication generates a storage key and securely saves it in the configuration database.
-
Veeam Backup & Replication generates a session key and a metakey for each operation. The configuration database holds the metakey for safekeeping.
-
Veeam Backup & Replication processes job data as follows:
(a) Data blocks in the backup file are encrypted using the session key. Backup metadata is encrypted by the metakey.
(b) The session key and the metakey are both encrypted by the storage key.
(c) The storage key is encrypted by the user key for security.
(d) If the backup server is integrated with Veeam Backup Enterprise Manager, the Enterprise Manager key encrypts the storage key.
-
When the backup server is linked to Veeam Backup Enterprise Manager, Veeam Backup & Replication stores two encrypted versions of the storage key in the output file: one using the user key (c) and the other using the Enterprise Manager key (d). Saving the cryptogram twice ensures Veeam Backup & Replication can decrypt the file even if the original password is lost or forgotten.
Data Encryption and Deduplication/Compression
When employing a deduplicating storage appliance as a target, the use of data encryption can have an adverse impact on the deduplication ratio. Every job session in Veeam Backup & Replication uses a unique encryption key. As a result of encryption, data blocks sent to the deduplicating storage appliances are perceived as unique, even if they encompass duplicate information, as the encryption process renders the data unrecognizable in its original form. Disabling data encryption allows for a higher deduplication ratio to be achieved. The deduplicating storage appliance offers an encryption feature which can be enabled if you wish to continue using encryption.
Veeam Backup & Replication follows a specific order when both data compression and encryption are enabled for a job: it compresses the VM data before encrypting the compressed data blocks. The source side is the location where both operations are executed.
Password Best Practices
To ensure secure data encryption and decryption, use these recommendations for passwords:
Choose robust passwords that are difficult to decipher or guess:
-
A minimum of 15 characters is required for the password.
-
Uppercase and lowercase letters are required for the password.
-
Use a mix of letters, numbers, and symbols for your password.
-
Your new password must be significantly different from your old one.
-
Avoid using personal information like your birthdate, pet's name, or username in your password.
- Create a memorable hint to help you recover your password. The password hint appears when unlocking encrypted files or tapes on the backup server.
-
Keep your passwords secure. Without your password, encrypted backups are unrecoverable unless Enterprise Manager keys were used.
-
Regularly change passwords for encrypted jobs. Using different passwords strengthens encryption.
Enterprise Manager Keys
If you use Veeam Backup & Replication, you can encrypt your data using Enterprise Manager keys, ensuring you can recover your data even if you lose the password.
When configuring Enterprise Manager keysets, keep these recommendations in mind:
- Regularly generate new Enterprise Manager keysets and enable them for use. Keyset activation automatically distributes the public Enterprise Manager key to backup servers, allowing encrypted jobs.
-
Securely back up Enterprise Manager keysets. A Veeam Backup Enterprise Manager failure will cause the loss of private Enterprise Manager keys. Without a password, Veeam Backup Enterprise Manager cannot recover data from backups or tapes.
Enabling encryption for an existing job (except backup copy jobs) will trigger a full backup during the next session. All backup files in the chain, including the full backup and subsequent incrementals, will be encrypted.
Data that's already been created cannot be encrypted. Enabling encryption for an existing job won't encrypt past backups.
Password changes for encrypted jobs result in a new incremental backup. All backup files in the chain will be encrypted with the new password.
Key Management System Keys
You can use Key Management System (KMS) keys for data encryption instead of secret keys based on a password. KMS keys are based on an asymmetric key encryption algorithm. They are managed and rotated by an external KMS server and provide a higher level of security.
You can use KMS keys to encrypt backup files on the following:
Job-level encryption:
-
Backup and backup copy jobs
-
Veeam Agent backup jobs managed by Veeam Backup & Replication
-
File backup jobs and object storage backup jobs
-
Transaction log backup and backup copy jobs
-
VeeamZIP jobs
Backup repositories that store backup files created by:
-
Veeam Backup for Nutanix AHV
-
Veeam Backup for OLVM and RHV
-
Veeam Kasten for Kubernetes
-
Capacity tier repositories
-
Media pools and GFS media pools.
-
External repositories (decryption only).
If you use Veeam Cloud Connect repositories as a target backup storage, you can also use KMS keys for the following jobs:
-
Backup and backup copy jobs
-
Veeam Agent backup jobs managed by Veeam Backup & Replication
-
Transaction log backup copy jobs
The following jobs and repositories do not support data encryption with KMS keys:
-
Configuration backup jobs
-
Veeam Agent backup jobs managed by Veeam Agents
-
Backup repositories that store backup files created by Veeam Agents operating in the standalone mode
How KMS Works
When you add the KMS server in the Veeam Backup & Replication console and start using KMS keys for data encryption, Veeam Backup & Replication asks the KMS server to generate an asymmetric KMS key for the required job or repository. Veeam Backup & Replication stores a public key in the configuration database and uses it for data encryption. The KMS server stores a private key and uses it for data decryption.
The KMS server rotates KMS keys at a time interval specified in the KMS policies. To get updates from the KMS server, Veeam Backup & Replication runs a system job. During the job session, Veeam Backup & Replication performs the following steps:
- Sends a request to the KMS server.
-
Gets information about recently rotated KMS keys if there are any.
-
Updates public keys in the Veeam Backup & Replication configuration database.
Data in Flight Encryption
Veeam Backup & Replication automatically encrypts network traffic over public networks. Network rules enable encrypted backup data transfer between Veeam Data Movers on private networks. The global network traffic rules, which are set for backup infrastructure components, include TLS connections that provide network traffic encryption. Backup data is encrypted before sending if job-level encryption is enabled.
Veeam backup systems use these TLS versions:
- Windows Server 2022 backup infrastructure partially supports TLS 1.3. TLS 1.3 is not supported by PowerShell or OpenSSL components.
-
TLS 1.2.
For security, disable unnecessary TLS 1.0 and 1.1.