Backup Copy Job Encryption

Encryption for a backup copy job is configured in the advanced job settings. You should enable the encryption option and specify a password to protect data in backup files produced by the backup copy job.

The workflow of the encrypted backup copy job depends on the path for data transfer:

• Direct data path
• Data path via WAN accelerators

Direct Data Path

If you use a direct data path to transfer backups to the target backup repository, the encrypted backup copy job includes the following steps:

1. You enable encryption for a backup copy job and specify a password.
2. Veeam Backup & Replication generates the necessary keys to protect backup files produced by the backup copy job.
3. Veeam Backup & Replication encrypts data blocks on the source side and transfers them to the target backup repository.
4. On the target backup repository, encrypted data blocks are stored to a resulting backup file.

An encrypted backup copy job may use an encrypted backup file as a source. In this situation, Veeam Backup & Replication does not perform double encryption. The backup copy job includes the following steps:

1. Veeam Backup & Replication decrypts data blocks of the encrypted source backup file. For the decryption process, it uses the storage key and metakeys stored in the configuration database.
2. Veeam Backup & Replication generates the necessary keys to protect backup files produced by the backup copy job.
3. Veeam Backup & Replication encrypts data blocks on the source side using these keys and transfers encrypted data blocks to the target backup repository.
4. On the target backup repository, encrypted data blocks are stored to a resulting backup file.

The restore process for backups produced by backup copy jobs does not differ from that for backup jobs.

Via WAN Accelerators

WAN accelerators require reading data on the target side to perform such operations as global data deduplication, backup health check and so on. For this reason, if you use WAN accelerators for backup copy jobs, the encryption process is performed on the target side.

The backup copy job processing via WAN accelerators includes the following steps:

1. You enable encryption for a backup copy job and specify a password.
2. Veeam Backup & Replication generates necessary keys to protect backup files produced by the backup copy job.
3. Data blocks are passed to the target backup repository in the unencrypted format.
4. Received data blocks are encrypted on the target site and stored to a resulting backup file on the target backup repository.
   

The restore process in this case does not differ from that for backup jobs. Veeam Backup & Replication retrieves data blocks from the backup file on the target backup repository, sends them to the source side and decrypts them on the source side.

When transporting data between WAN accelerators that face external networks, Veeam Backup & Replication encrypts the network traffic by default. For network traffic encryption, Veeam Backup & Replication uses the 256-bit Advanced Encryption Standard (AES). For more information, see Enabling Network Data Encryption.