Help Center
Choose product document...
Veeam Backup & Replication 9.5 Update 4
User Guide for Microsoft Hyper-V

How Data Encryption Works

Data encryption is performed as part of backup, backup copy or archiving to tape processes. Encryption works at the source side, before data is transported to the target. Encryption keys are not passed to the target side, unless you run a backup copy job over WAN accelerators or perform health check for the encrypted backup files.

How Data Encryption Works Note:

The procedure below describes the encryption process for backup, backup copy jobs and VeeamZIP tasks. For more information about encrypting data on tapes, see Tape Encryption.

The encryption process includes the following steps:

  1. When you create a new job, you enable the encryption option for the job and enter a password to protect data at the job level.
  2. Veeam Backup & Replication generates a user key based on the entered password.
  3. When you start an encrypted job, Veeam Backup & Replication creates a storage key and stores this key to the configuration database.
  4. Veeam Backup & Replication creates a session key and a metakey. The metakey is stored to the configuration database.
  5. Veeam Backup & Replication processes job data in the following way:
  1. The session key encrypts data blocks in the backup file. The metakey encrypts backup metadata.
  2. The storage key encrypts the session key and the metakey.
  3. The user key encrypts the storage key.
  4. If you use the Enterprise or Enterprise Plus Edition of Veeam Backup & Replication and the backup server is connected to Veeam Backup Enterprise Manager, the Enterprise Manager key also encrypts the storage key.
  1. Encrypted data blocks are passed to the target. The cryptograms of the public Enterprise Manager key (if used), user key, storage key, session key and metakey are stored to the resulting file next to encrypted data blocks.

If you use the Enterprise or Enterprise Plus Edition of Veeam Backup & Replication and the backup server is connected to Veeam Backup Enterprise Manager, Veeam Backup & Replication saves two cryptograms of the storage key to the resulting file: one encrypted with the user key (c) and one encrypted with the Enterprise Manager key (d). Saving the cryptogram twice helps Veeam Backup & Replication decrypt the file even if a password is lost or forgotten. For more information, see How Decryption Without Password Works.

How Data Encryption Works 

Veeam Large Logo

User Guide for VMware vSphere

User Guide for Microsoft Hyper-V

Enterprise Manager User Guide

Veeam Cloud Connect Guide

Veeam Agent Management Guide

Veeam Explorers User Guide

Backup and Restore of SQL Server Databases

Veeam Plug-ins for Enterprise Applications

PowerShell Reference

Veeam Explorers PowerShell Reference

RESTful API Reference

Required Permissions Reference

Quick Start Guide for VMware vSphere

Quick Start Guide for Microsoft Hyper-V

Veeam Availability for Nutanix AHV Documentation

Veeam Backup for Microsoft Office 365 Documentation

Veeam ONE Documentation

Veeam Agent for Windows Documentation

Veeam Agent for Linux Documentation

Veeam Management Pack Documentation