How Data Encryption Works

Data encryption is performed as part of backup, backup copy or archiving to tape processes. Encryption works at the source side, before data is transported to the target. Encryption keys are not passed to the target side, unless you run a backup copy job over WAN accelerators or perform health check for the encrypted backup files.


The following procedure describes the encryption process for backup, backup copy jobs and VeeamZIP tasks. For more information about encrypting data on tapes, see Tape Encryption.

The encryption process includes the following steps:

  1. When you create a new job, you enable the encryption option for the job and enter a password to protect data at the job level.
  2. Veeam Backup & Replication generates a user key based on the entered password.
  3. When you start an encrypted job, Veeam Backup & Replication creates a storage key and stores this key to the configuration database.
  4. Veeam Backup & Replication creates a session key and a metakey. The metakey is stored to the configuration database.
  5. Veeam Backup & Replication processes job data in the following way:
  1. The session key encrypts data blocks in the backup file. The metakey encrypts backup metadata.
  2. The storage key encrypts the session key and the metakey.
  3. The user key encrypts the storage key.
  4. If you use the Veeam Universal License, (or, for legacy-based license, Enterprise or higher edition), and the backup server is connected to Veeam Backup Enterprise Manager, the Enterprise Manager key also encrypts the storage key.
  1. Encrypted data blocks are passed to the target. The cryptograms of the public Enterprise Manager key (if used), user key, storage key, session key and metakey are stored to the resulting file next to encrypted data blocks.

If you use the Enterprise or Enterprise Plus edition of Veeam Backup & Replication and the backup server is connected to Veeam Backup Enterprise Manager, Veeam Backup & Replication saves two cryptograms of the storage key to the resulting file: one encrypted with the user key (c) and one encrypted with the Enterprise Manager key (d). Saving the cryptogram twice helps Veeam Backup & Replication decrypt the file even if a password is lost or forgotten. For more information, see How Decryption Without Password Works.

How Data Encryption Works 

Page updated 5/17/2024

Page content applies to build