Specifying Retention Settings for Enterprise Manager Keyset
In some cases, government regulations and internal company policies require that you regularly change encryption keys. The shorter is the lifetime of an encryption key, the smaller amount of data is encrypted with this key and the higher is the level of encryption security.
Lifetime of Enterprise Manager keys is controlled by a key retention period. The key retention period defines for how long Enterprise Manager keys must remain in effect and must be used for encryption and decryption.
You can specify a retention period for an Enterprise Manager keyset.
To specify retention policy for Enterprise Manager keys:
- In Veeam Backup Enterprise Manager, open the Settings section of the Configuration view.
- On the Key Management tab, in the Managed keys section, select the necessary options:
- If you want to set a retention period for Enterprise Manager keysets, select the Key retention period check box and specify the number of weeks for which Enterprise Manager keys must remain in effect (default is 4 weeks). After the retention period is over, and with key auto-generation is turned off, a user will receive a notification email and should then manually create and activate a new keyset. After a new keyset is ready, old keyset is marked as inactive.
- If you want Veeam Backup Enterprise Manager to automatically generate a new keyset, select the Auto-generate new keys check box. After the current keyset expires, Veeam Backup Enterprise Manager will automatically generate a new keyset and mark it as active. During the next data synchronization session, Veeam Backup Enterprise Manager will propagate the newly created public Enterprise Manager key to all connected Veeam backup servers. The private Enterprise Manager key will remain on Veeam Backup Enterprise Manager and will be used for data decryption.
- Click Save to save the settings.