Veeam Backup & Replication 10
User Guide for Microsoft Hyper-V
Related documents

Storage Keys

Backup files in the backup chain often need to be transformed, for example, in case you create a reverse incremental backup chain. When Veeam Backup & Replication transforms a full backup file, it writes data blocks from several restore points to the full backup file. As a result, the full backup file contains data blocks that are encrypted in different job sessions with different session keys.

To restore data from such “composed” backup file, Veeam Backup & Replication would require a bunch of session keys. For example, if the backup chain contains restore points for 2 months, Veeam Backup & Replication would have to keep session keys for a 2-month period.

Storage Keys 

In such situation, storing and handling session keys would be resource consuming and complicated. To facilitate the encryption process, Veeam Backup & Replication introduces another type of service key — a storage key.

For storage keys, Veeam Backup & Replication uses the AES algorithm. A storage key is directly associated with one restore point in the backup chain. The storage key is used to encrypt the following keys in the encryption hierarchy:

  • All session keys for all data blocks in one restore point
  • Metakey encrypting backup metadata

Storage Keys 

During the restore process, Veeam Backup & Replication uses one storage key to decrypt all session keys for one restore point, no matter how many session keys were used to encrypt data blocks in this restore point. As a result, Veeam Backup & Replication does not need to keep the session keys history in the configuration database. Instead, it requires only one storage key to restore data from one file.

In the encryption process, storage keys are encrypted with keys of a higher layer — user keys and optionally a public Enterprise Manager key. Cryptograms of storage keys are stored to the resulting file next to encrypted data blocks, and cryptograms of session keys and metakeys.

Storage keys are also kept in the configuration database. To maintain a set of valid storage keys in the database, Veeam Backup & Replication uses retention policy settings specified for the job. When some restore point is removed from the backup chain by retention, the storage key corresponding to this restore point is also removed from the configuration database.

This Document Help Center
User Guide for VMware vSphereUser Guide for Microsoft Hyper-VVeeam Backup Enterprise Manager GuideVeeam Agent Management GuideVeeam Cloud Connect GuideVeeam Explorers User GuideVeeam Plug-ins for Enterprise Applications GuideVeeam PowerShell ReferenceVeeam Explorers PowerShell ReferenceVeeam RESTful API ReferenceRequired Permissions for VMware vSphereQuick Start Guide for VMware vSphereQuick Start Guide for Microsoft Hyper-VVeeam Backup for AWS DocumentationVeeam Availability for Nutanix AHV DocumentationVeeam Backup for Microsoft Office 365 DocumentationVeeam ONE DocumentationVeeam Agent for Windows DocumentationVeeam Agent for Linux DocumentationVeeam Management Pack Documentation
I want to report a typo

There is a misspelling right here:

 

I want to let the Veeam Documentation Team know about that.