Help Center
Choose product document...
Veeam Backup & Replication 9.5
User Guide for Microsoft Hyper-V

Storage Keys

Backup files in the backup chain often need to be transformed, for example, in case you create a reverse incremental backup chain. When Veeam Backup & Replication transforms a full backup file, it writes data blocks from several restore points to the full backup file. As a result, the full backup file contains data blocks that are encrypted in different job sessions with different session keys.

To restore data from such “composed” backup file, Veeam Backup & Replication would require a bunch of session keys. For example, if the backup chain contains restore points for 2 months, Veeam Backup & Replication would have to keep session keys for a 2-month period.

Storage Keys 

In such situation, storing and handling session keys would be resource consuming and complicated. To facilitate the encryption process, Veeam Backup & Replication introduces another type of service key — a storage key.

For storage keys, Veeam Backup & Replication uses the AES algorithm. A storage key is directly associated with one restore point in the backup chain. The storage key is used to encrypt the following keys in the encryption hierarchy:

  • All session keys for all data blocks in one restore point
  • Metakey encrypting backup metadata

Storage Keys 

During the restore process, Veeam Backup & Replication uses one storage key to decrypt all session keys for one restore point, no matter how many session keys were used to encrypt data blocks in this restore point. As a result, Veeam Backup & Replication does not need to keep the session keys history in the configuration database. Instead, it requires only one storage key to restore data from one file.

In the encryption process, storage keys are encrypted with keys of a higher layer — user keys and optionally a public Enterprise Manager key. Cryptograms of storage keys are stored to the resulting file next to encrypted data blocks, and cryptograms of session keys and metakeys.

Storage keys are also kept in the configuration database. To maintain a set of valid storage keys in the database, Veeam Backup & Replication uses retention policy settings specified for the job. When some restore point is removed from the backup chain by retention, the storage key corresponding to this restore point is also removed from the configuration database.

Veeam Large Logo

User Guide for VMware vSphere

User Guide for Microsoft Hyper-V

Enterprise Manager User Guide

Veeam Cloud Connect Guide

Veeam Backup Explorers User Guide

PowerShell Reference

RESTful API Reference

Veeam Backup FREE Edition User Guide

Veeam Backup for Microsoft Office 365

Veeam ONE Documentation

Veeam Agent for Windows Documentation

Veeam Agent for Linux Documentation

Veeam Management Pack Documentation