Backup Server Keys
Eavesdroppers may potentially use Veeam Backup Enterprise Manager to unlock files encrypted with Veeam Backup & Replication. If eavesdroppers intercept an encrypted file, they may generate a request for file unlocking and send such request to Veeam Backup Enterprise Manager Administrators. Having received a response from Veeam Backup Enterprise Manager, eavesdroppers will be able unlock the encrypted file without a password.
To protect you against the “man-in-the-middle” attack, Veeam Backup & Replication uses backup server keys. Backup server keys are a pair of RSA keys, public and private, that are generated on the backup server.
- The public backup server key is sent to Veeam Backup Enterprise Manager to which the backup server is connected, and saved in the Veeam Backup Enterprise Manager configuration database.
- The private backup server key is kept on the backup server in the Veeam Backup & Replication configuration database.
Backup server keys are used to authenticate the identity of the request sender. When the backup server generates a request to unlock a file, it adds a signature encrypted with the private backup server key to this request.
When Veeam Backup Enterprise Manager processes the request, it uses the public backup server key to decrypt the signature and identify the request sender. If the backup server used for request generation is not added to Veeam Backup Enterprise Manager, Veeam Backup Enterprise Manager will not find a matching public key in its database. As a result, Veeam Backup Enterprise Manager will not be able to identify the sender and the storage key decryption process will fail.