Help Center
Choose product document...
Veeam Agent for Microsoft Windows 2.0
User Guide

Session Keys and Metakeys

The session key is the lowest layer in the encryption key hierarchy. When Veeam Agent for Microsoft Windows encrypts data, it first encodes every data block in a file with a session key. For session keys, Veeam Agent for Microsoft Windows uses the AES algorithm with a 256-bit key length in the CBC-mode.

Veeam Agent for Microsoft Windows generates a new session key for every backup job session. For example, if you have created an encrypted backup job and run 3 job sessions, Veeam Agent for Microsoft Windows will produce 3 backup files that will be encrypted with 3 different session keys:

  • Full backup file encrypted with session key 1
  • Incremental backup file encrypted with session key 2
  • Incremental backup file encrypted with session key 3

Session Keys and Metakeys 

The session key is used to encrypt only data blocks in backup files. To encrypt backup metadata, Veeam Agent for Microsoft Windows applies a separate key — metakey. Use of a metakey for metadata raises the security level of encrypted backups.

For every job session, Veeam Agent for Microsoft Windows generates a new metakey. For example, if you have run 3 job sessions, Veeam Agent for Microsoft Windows will encrypt metadata with 3 metakeys.

Session Keys and Metakeys 

In the encryption process, session keys and metakeys are encrypted with keys of a higher layer — storage keys. Cryptograms of session keys and metakeys are stored to the resulting file next to encrypted data blocks. Metakeys are additionally kept in the Veeam Agent for Microsoft Windows database.

Veeam Large Logo

User Guide

Configurator Reference

Veeam Backup & Replication Documentation

Veeam ONE Documentation

Veeam Management Pack Documentation

Veeam Agent for Linux Documentation