Encryption for Capacity Tier

Veeam Backup & Replication allows you to encrypt offloaded data. This helps you protect the data from an unauthorized access.

You can enable data encryption in the following ways:

To get benefits of both encryption levels, you can use job-level and capacity tier encryption within the same object storage. Both encryption levels allow you to keep your data from an unauthorized access, but capacity tier encryption allows you to encrypt backup chain metadata and restore points.

Job-level Encryption

Before data is offloaded to capacity tier, Veeam Backup & Replication checks if encryption is enabled in the job settings. If encryption is enabled, data encrypted by the job is not decrypted or decompressed. It is offloaded to capacity tier as is.

Capacity Tier Encryption

With the Encrypt data uploaded to object storage setting selected, the entire collection of blocks along with the metadata will be encrypted while being offloaded regardless of the jobs’ encryption settings. If you have both job-level and capacity tier encryption enabled, already encrypted backup data will be encrypted again before being uploaded to capacity tier.

If capacity tier encryption has been disabled, backup data encrypted by the job settings will be uploaded unmodified to capacity tier.

Note

Consider the following:

  • If you enable encryption for the capacity extent that already contains backups, it will not automatically encrypt these backups. If a backup job creates an active full or synthetic full backup, it will consist of encrypted and unencrypted data blocks after offload to the capacity tier. This backup will remain in the capacity tier in this state until new encrypted data blocks completely replace the unencrypted blocks.
  • If you enable encryption after you have already offloaded data to capacity tier, Veeam Backup & Replication will not encrypt previously offloaded backup chains.

Page updated 6/27/2024

Page content applies to build 12.2.0.334