When you enable encryption for a job, you must define a password to protect data processed by this job, and define a hint for the password. The password and the hint are saved in the job settings. Based on this password, Veeam Backup & Replication generates a user key.
The user key protects data at the job level. In the encryption hierarchy, the user key encrypts storage keys for all restore points in the backup chain.
During the encryption process, Veeam Backup & Replication saves a hint for the password to the encrypted file. When you decrypt a file, Veeam Backup & Replication displays a hint for the password that you must provide. After you enter a password, Veeam Backup & Replication derives a user key from the password and uses it to unlock the storage key for the encrypted file.
According to the security best practices, you must change passwords for encrypted jobs regularly. When you change a password for the job, Veeam Backup & Replication creates a new user key and uses it to encrypt new restore points in the backup chain.
You must always remember passwords set for jobs or save these passwords in a safe place. If you lose or forget the password, you can restore data from a backup file by issuing a request to Veeam Backup Enterprise Manager. For more information, see How Decryption Without Password Works.