EC2 instance backups that reside in Amazon S3 buckets can be encrypted by Veeam Backup for AWS. Moreover, password for such encrypted backups may change on a daily basis. For example, there is a backup chain in Amazon S3 bucket that consists of 10 restore points, each of which was encrypted with different password. Therefore, there are 10 different passwords in total that have been used.
To be able to decrypt each restore point in such a backup chain without having to provide each previously used password separately, Veeam Backup & Replication implements the ability of backward hierarchical decryption.
Backward hierarchical decryption requires you to provide only the latest password so that all the previously created restore points can be decrypted as well. For example, there are three restore points: A, B, and C. The point A was encrypted with password 1, B with password 2, and C with password 3. Therefore, you will only need to know the password of the C point to decrypt points C, B, and A.
If you plan to perform data recovery operations with encrypted backups, you must provide a password for these backups at the Bucket step of the New External Repository wizard.