Veeam Agent for Microsoft Windows 5.0 [Archived]
User Guide
Related documents
Search
This is an archive version of the document. To get the most up-to-date information, see the current version.

Session Keys and Metakeys

The session key is the lowest layer in the encryption key hierarchy. When Veeam Agent for Microsoft Windows encrypts data, it first encodes every data block in a file with a session key. For session keys, Veeam Agent for Microsoft Windows uses the AES algorithm with a 256-bit key length in the CBC-mode.

Veeam Agent for Microsoft Windows generates a new session key for every backup job session. For example, if you have created an encrypted backup job and run 3 job sessions, Veeam Agent for Microsoft Windows will produce 3 backup files that will be encrypted with 3 different session keys:

  • Full backup file encrypted with session key 1
  • Incremental backup file encrypted with session key 2
  • Incremental backup file encrypted with session key 3

Session Keys and Metakeys

The session key is used to encrypt only data blocks in backup files. To encrypt backup metadata, Veeam Agent for Microsoft Windows applies a separate key — metakey. Use of a metakey for metadata raises the security level of encrypted backups.

For every job session, Veeam Agent for Microsoft Windows generates a new metakey. For example, if you have run 3 job sessions, Veeam Agent for Microsoft Windows will encrypt metadata with 3 metakeys.

Session Keys and Metakeys

In the encryption process, session keys and metakeys are encrypted with keys of a higher layer — storage keys. Cryptograms of session keys and metakeys are stored to the resulting file next to encrypted data blocks. Metakeys are additionally kept in the Veeam Agent for Microsoft Windows database.

View all results across Veeam
Back to document search