Managing Encryption Keys

Veeam Backup Enterprise Manager provides you with an alternative way for data encryption. It lets you decrypt the data if you have lost or forgotten the password used for data encryption or if a KMS server used for data encryption is not available. For more information on the concept, terms and procedures of data encryption, see the Data Encryption section of the Veeam Backup & Replication User Guide.

Note

Decryption of KMS server keys is supported starting from Veeam Backup Enterprise Manager version 12.1 (build 12.1.0.2131).

For encryption, Veeam Backup Enterprise Manager uses an Enterprise Manager keyset — a pair of matching keys:

  • Public Enterprise Manager key encrypts storage keys on backup servers connected to Veeam Backup Enterprise Manager.
  • Private Enterprise Manager key decrypts storage keys in case a password for encrypted backup or tape is lost.

To let Veeam Backup & Replication encrypt and decrypt data with Enterprise Manager keys, make sure Enterprise Manager keys are enabled in Veeam Backup Enterprise Manager.

To enable Enterprise Manager keys, do the following:

  1. In Veeam Backup Enterprise Manager, open the Settings section of the Configuration view.
  2. On the Key Management tab, select the Enable encryption password loss protection check box.
  3. To save the changes, click Save.

During Veeam Backup Enterprise Manager installation, the setup automatically generates an Enterprise Manager keyset. You can perform the following operations with Enterprise Manager keysets using Enterprise Manager: