When you enable encryption for a job, you must define a password to protect data processed by this job, and define a hint for the password. The password and the hint are saved in the job settings. Based on this password, Veeam Agent for Microsoft Windows generates a user key.
The user key protects data at the job level. In the encryption hierarchy, the user key encrypts storage keys for all restore points in the backup chain.
Veeam Agent for Microsoft Windows saves a hint for the password to its database and to the backup metadata file (VBM). When you decrypt a file, Veeam Agent for Microsoft Windows displays a hint for the password that you must provide. After you enter a password, Veeam Agent for Microsoft Windows derives a user key from the password and uses it to unlock the storage key for the encrypted file.
According to the security best practices, you must change passwords for encrypted jobs regularly. When you change a password for the job, Veeam Agent for Microsoft Windows creates a new user key and uses it to encrypt new restore points in the backup chain. If you lose a password that was specified for encryption, you can change the password in the encryption settings. You can use the new password to restore data from all restore points in the backup chain, including those restore points that were encrypted with an old password.