Data encryption is performed as part of the backup process. Encryption works at the source side, before data is transported to the target location. As a result, encryption keys are not passed to the target side, which helps to avoid data interception.
The encryption process includes the following steps:
- When you create a backup job, you enable the encryption option for the job and enter a password to protect data at the job level.
- Veeam Agent for Microsoft Windows generates a user key based on the entered password.
- When you start an encrypted job, Veeam Agent for Microsoft Windows creates a storage key and stores this key to its database.
- Veeam Agent for Microsoft Windows creates a session key and a metakey. The metakey is stored to the Veeam Agent for Microsoft Windows database.
- Veeam Agent for Microsoft Windows processes job data in the following way:
- The session key encrypts data blocks in the backup file. The metakey encrypts backup metadata.
- The storage key encrypts the session key and the metakey.
- The user key encrypts the storage key.
- Encrypted data blocks are passed to the target. The cryptograms of the user key, storage key, session key and metakey are stored to the resulting file next to encrypted data blocks.