Tape Encryption
Veeam Backup & Replication supports two types of encryption for tape media:
- Hardware level: library- and driver-managed encryption mechanisms provided by the tape vendor
- Software level: the encryption mechanism provided by Veeam Backup & Replication
Hardware encryption has a higher priority. If hardware encryption is enabled for the tape media, Veeam Backup & Replication automatically disables its software encryption mechanism for such tape libraries. The Veeam encryption mechanism can only be used if hardware encryption is disabled at the tape device level or not supported.
To use the Veeam encryption mechanism, you need to enable encryption at the level of media pool. In this case, Veeam Backup & Replication will encrypt data for all jobs that use tapes from the this media pool. Encryption is supported for both types of tape jobs:
- Backup to tape jobs
- File to tape jobs
Encryption of data on tapes includes the following steps:
- You enable encryption for a media pool and specify a password.
- You select the media pool as a target for a backup to tape or file to tape job.
- Veeam Backup & Replication generates the necessary keys to protect data archived to tape.
- During the backup to tape or file to tape job, the key is passed to the target side. In case of hardware encryption, Veeam Backup & Replication passes the key to the tape device, and the tape device uses its mechanism to encrypt data on tapes. In case of software encryption, Veeam Backup & Replication passes the keys to the tape server, and encrypts data when it is archived to tape.
Backup to tape jobs allow double encryption. The backup to tape job uses a backup file as a source of data. If the backup file is encrypted with the initial backup job and the encryption option is enabled for the backup to tape job, too, the resulting backup file will be encrypted twice. To decrypt such backup file, you will need to subsequently enter two passwords:
- Password for the initial backup job
- Password for the media pool
Restore of encrypted data from tape includes the following steps:
- You insert tape with encrypted data into the tape drive and perform tape catalogization. The catalogization operations lets Veeam Backup & Replication understand what data is written to tape.
- You provide a password to decrypt data archived to tape.
- Veeam Backup & Replication uses the provided password to generate a user key and unlock the subsequent keys for data Veeam Backup & Replication retrieves data blocks from encrypted files on tapes and decrypts them.