Encryption Standards

Veeam Backup & Replication uses the following industry-standard data encryption algorithms:

Data Encryption

For data encryption consider the following:

• To encrypt data blocks in backup files, Veeam Backup & Replication uses the 256-bit AES with a 256-bit key length in the CBC-mode. For more information, see Advanced Encryption Standard (AES). This type of encryption is also supported for backup files stored in the following locations:

• Backup files archived to tape devices. For more information, see Tape Devices Support.
• Backup files stored in archive tier. For more information, see Archive Tier.
• Backup files stored in capacity tier. For more information, see Capacity Tier.

• To generate a key based on a password, Veeam Backup & Replication uses the Password-Based Key Derivation Function, PKCS #5 version 2.0. Veeam Backup & Replication uses 600,000 HMAC-SHA256 iterations and a 512-bit salt. For more information, see Recommendation for Password-Based Key Derivation.

Enterprise Manager Keys

For Veeam Backup Enterprise Manager consider the following:

• To generate Enterprise Manager keys required for data restore without a password, Veeam Backup & Replication uses the RSA algorithm with a 4096-bit key length.
• To generate a request for data restore from a backup server, Veeam Backup & Replication uses the RSA algorithm with a 2048-bit key length.

For more information, see RSA Cryptography Specifications.

Hashing Algorithms

Veeam Backup & Replication uses the following hashing algorithms:

• For digital signature generation: SHA-256
• For SSH fingerprint verification: SHA-256
• For backward compatibility and certificate thumbprint generation: SHA-1
• For HMAC generation: SHA-1
• For random number generation: OpenSSL, cryptographic libraries provided by the operating system

Encryption Libraries

For Linux-based components and services, Veeam Backup & Replication uses Veeam Cryptographic Module.

For Veeam Data Movers installed on Microsoft Windows-based machines, Veeam Backup & Replication also uses Veeam Cryptographic Module. For other Microsoft Windows-based components and services, Veeam Backup & Replication uses Microsoft Crypto API.

Veeam Backup & Replication uses the following cryptographic service providers:

• Microsoft Base Cryptographic Provider. For more information, see Microsoft Docs.
• Microsoft Enhanced RSA and AES Cryptographic Provider. For more information, see Microsoft Docs.
• Microsoft Enhanced Cryptographic Provider. For more information, see Microsoft Docs.

If you need Veeam Cryptographic Module and Microsoft Crypto API to be compliant with the Federal Information Processing Standards (FIPS 140), enable FIPS compliance as described in section FIPS Compliance.

Veeam Backup & Replication encrypts stored credentials, encryption keys, and certificates using Data Protection API (DPAPI) mechanisms. For more information, see Microsoft Docs.