How Data Encryption Works
Data encryption is performed as part of the backup process. Encryption works at the source or target side depending on the backup target. As a result, encryption keys are not passed to the untrusted side, which helps to avoid data interception.
In Veeam Agent, the encryption process includes the following steps:
- When you create a backup job, you enable the encryption option for the job and enter a password to protect data at the job level.
- Veeam Agent generates a user key based on the entered password.
- When you start an encrypted job, Veeam Agent creates a storage key and stores this key in its database.
- Veeam Agent creates a session key and a metakey. The metakey is stored in the Veeam Agent database.
- Veeam Agent processes job data in the following way:
- The session key encrypts data blocks in the backup file. The metakey encrypts backup metadata.
- The storage key encrypts the session key and the metakey.
- The user key encrypts the storage key.
- Encrypted data blocks are stored to the target location. The cryptograms of the user key, storage key, session key and metakey are stored in the resulting file next to encrypted data blocks.