How Data Decryption Works

When you restore data from an encrypted backup file, Veeam Backup & Replication performs data decryption automatically in the background or requires you to provide a password.

  • If encryption keys required to unlock the backup file are available in the Veeam Backup & Replication configuration database, you do not need to enter the password. Veeam Backup & Replication uses keys from the database to unlock the backup file. Data decryption is performed in the background, and data restore does not differ from that from an unencrypted one.

Automatic data decryption is performed if the following conditions are met:

  1. You encrypt and decrypt the backup file on the same backup server using the same Veeam Backup & Replication configuration database.
  2. [For backup file] The backup is not removed from the Veeam Backup & Replication console.
  • If encryption keys are not available in the Veeam Backup & Replication configuration database, you need to provide a password to unlock the encrypted file.

Data decryption is performed at the source side, after data is transported back from the target side. As a result, encryption keys are not passed to the target side, which helps avoid data interception.


The following procedure describes the decryption process for backup, backup copy jobs and VeeamZIP tasks. For more information about decrypting tape data, see Tape Encryption.

The decryption process includes the following steps. Note that steps 1 and 2 are required only if you decrypt the file on the backup server other than the backup server where the file was encrypted.

  1. You import the file to the backup server. Veeam Backup & Replication notifies you that the imported file is encrypted and requires a password.
  2. You specify a password for the imported file. If the password has changed once or several times, you need to specify the password in the following manner:
    • If you select a .vbm file for import, you must specify the latest password that was used to encrypt files in the backup chain.
    • If you select a full backup file for import, you must specify the whole set of passwords that were used to encrypt files in the backup chain.
  1. Veeam Backup & Replication reads the entered password and generates the user key based on this password. With the user key available, Veeam Backup & Replication performs decryption in the following way:
  1. Veeam Backup & Replication applies the user key to decrypt the storage key.
  2. The storage key, in its turn, unlocks underlying session keys and a metakey.
  3. Session keys decrypt data blocks in the encrypted file.

After the encrypted file is unlocked, you can work with it as usual.

If you have lost or forgotten a password for an encrypted file, you can issue a request to Veeam Backup Enterprise Manager and restore data from an encrypted file using Enterprise Manager keys. For more information, see Enterprise Manager Keys and How Decryption Without Password Works.

How Data Decryption Works 

Page updated 5/17/2024

Page content applies to build