Encryption Best Practices

In this article

    To guarantee the flawless process of data encryption and decryption, consider the following recommendations.

    Password

    Mind the following recommendations when you create a password:

    1. Use strong passwords that are hard to crack or guess:
      • The password must be at least 8 characters long.
      • The password must contain uppercase and lowercase characters.
      • The password must be a mixture of alphabetic, numeric and punctuation characters.
      • The password must significantly differ from the password you used previously.
      • The password must not contain any real information related to you, for example, date of birth, your pet’s name, your logon name and so on.
    1. Provide a meaningful hint for the password that will help you recall the password. The hint for the password is displayed when you import an encrypted file or tape to the backup server and attempt to unlock it.
    2. Keep passwords in the safe place. If you lose or forget your password, you will not be able to recover data from backups or tapes encrypted with this password, unless you use Enterprise Manager keys in the encryption process.
    3. Change passwords for encrypted jobs regularly. Use of different passwords helps increase the encryption security level.

    Data Recovery without Password

    If you use Veeam Universal License (or a legacy socket-based license, Enterprise or higher edition), connect backup servers to Veeam Backup Enterprise Manager. In this case, Veeam Backup & Replication will employ Enterprise Manager keys in the encryption process, which will let you recover data from encrypted backups and tapes even if the password is lost or forgotten.

    Mind the following recommendations for Enterprise Manager keysets:

    1. Create and activate new Enterprise Manager keysets regularly. When you activate a keyset, the public Enterprise Manager key is automatically propagated to backup servers connected to Veeam Backup Enterprise Manager and is used for encrypted jobs on these servers.
    2. Create backup copies of Enterprise Manager keysets and keep them in a safe place. If your installation of Veeam Backup Enterprise Manager goes down for some reason, you will lose private Enterprise Manager keys. As a result, you will not be able to use the Veeam Backup Enterprise Manager functionality to recover data from backups and tapes without a password.

    For more information on data decryption without a password, see Decrypting Data Without Password.

    Encryption for Existing Jobs

    If you enable encryption for an existing job, during the next job session Veeam Backup & Replication will create a full backup file. The created full backup file and subsequent incremental backup files in the backup chain will be encrypted with the specified password.

    Note

    After enabling or disabling encryption for an existing backup copy job you will need to create an active full backup manually. For more information, see Creating Active Full Backups.

    Encryption is not retroactive. If you enable encryption for an existing job, Veeam Backup & Replication does not encrypt the previous backup chain created with this job. If you want to start a new chain so that the unencrypted previous chain can be separated from the encrypted new chain, follow this scenario: this Veeam KB article.

    If you change the password for the already encrypted job, during the next job session Veeam Backup & Replication will create a new incremental backup file. The created backup file and subsequent backup files in the backup chain will be encrypted with the new password.

    Note

    To unlock a backup encrypted with several passwords, you must decrypt it in the following manner:

    • If you import a metadata file (VBM), provide the latest password that was used to encrypt files in the backup chain.
    • If you import a full backup file (VBK), provide the whole set of passwords that were used to encrypt files in the backup chain.

    For more information, see Decrypting Data with Password.