Session Keys and Metakeys

The session key is the lowest layer in the encryption key hierarchy. When Veeam Agent encrypts data, it first encodes every data block in a file with a session key. For session keys, Veeam Agent uses the AES algorithm with a 256-bit key length in the CBC-mode.

Veeam Agent generates a new session key for every backup job session. For example, if you have created an encrypted backup job and run 3 job sessions, Veeam Agent will produce 3 backup files that will be encrypted with 3 different session keys:

  • Full backup file encrypted with session key 1
  • Incremental backup file encrypted with session key 2
  • Incremental backup file encrypted with session key 3

Session Keys and Metakeys

The session key is used to encrypt only data blocks in backup files. To encrypt backup metadata, Veeam Agent applies a separate key — metakey. Use of a metakey for metadata raises the security level of encrypted backups.

For every job session, Veeam Agent generates a new metakey. For example, if you have run 3 job sessions, Veeam Agent will encrypt metadata with 3 metakeys.

Session Keys and Metakeys

In the encryption process, session keys and metakeys are encrypted with keys of a higher layer — storage keys. Cryptograms of session keys and metakeys are stored in the resulting file next to encrypted data blocks. Metakeys are additionally kept in the Veeam Agent database.

Page updated 10/23/2023

Page content applies to build 6.2.0.121