Veeam Backup & Replication 9.5 Update 4
User Guide for VMware vSphere
Related documents

How Data Decryption Works

When you restore data from an encrypted backup file, Veeam Backup & Replication performs data decryption automatically in the background or requires you to provide a password.

  • If encryption keys required to unlock the backup file are available in the Veeam Backup & Replication configuration database, you do not need to enter the password. Veeam Backup & Replication uses keys from the database to unlock the backup file. Data decryption is performed in the background, and data restore does not differ from that from an unencrypted one.

Automatic data decryption is performed if the following conditions are met:

  1. You encrypt and decrypt the backup file on the same backup server using the same Veeam Backup & Replication configuration database.
  2. [For backup file] The backup is not removed from the Veeam Backup & Replication console.
  • If encryption keys are not available in the Veeam Backup & Replication configuration database, you need to provide a password to unlock the encrypted file.

Data decryption is performed at the source side, after data is transported back from the target side. As a result, encryption keys are not passed to the target side, which helps avoid data interception.

How Data Decryption Works Note:

The procedure below describes the decryption process for backup, backup copy jobs and VeeamZIP tasks. For more information about decrypting tape data, see Tape Encryption.

The decryption process includes the following steps. Note that steps 1 and 2 are required only if you decrypt the file on the backup server other than the backup server where the file was encrypted.

  1. You import the file to the backup server. Veeam Backup & Replication notifies you that the imported file is encrypted and requires a password.
  2. You specify a password for the imported file. If the password has changed once or several times, you need to specify the password in the following manner:
    • If you select a .vbm file for import, you must specify the latest password that was used to encrypt files in the backup chain.
    • If you select a full backup file for import, you must specify the whole set of passwords that were used to encrypt files in the backup chain.
  1. Veeam Backup & Replication reads the entered password and generates the user key based on this password. With the user key available, Veeam Backup & Replication performs decryption in the following way:
  1. Veeam Backup & Replication applies the user key to decrypt the storage key.
  2. The storage key, in its turn, unlocks underlying session keys and a metakey.
  3. Session keys decrypt data blocks in the encrypted file.

After the encrypted file is unlocked, you can work with it as usual.

If you have lost or forgotten a password for an encrypted file, you can issue a request to Veeam Backup Enterprise Manager and restore data from an encrypted file using Enterprise Manager keys. For more information, see Enterprise Manager Keys and How Decryption Without Password Works.

How Data Decryption Works 

This Document Help Center
User Guide for VMware vSphereUser Guide for Microsoft Hyper-VEnterprise Manager User GuideVeeam Cloud Connect GuideVeeam Agent Management GuideVeeam Explorers User GuideBackup and Restore of SQL Server DatabasesVeeam Plug-ins for Enterprise ApplicationsPowerShell ReferenceVeeam Explorers PowerShell ReferenceRESTful API ReferenceRequired Permissions ReferenceQuick Start Guide for VMware vSphereQuick Start Guide for Microsoft Hyper-VVeeam Backup for AWS DocumentationVeeam Availability for Nutanix AHV DocumentationVeeam Backup for Microsoft Office 365 DocumentationVeeam ONE DocumentationVeeam Agent for Windows DocumentationVeeam Agent for Linux DocumentationVeeam Management Pack Documentation
I want to report a typo

There is a misspelling right here:

 

I want to let the Veeam Documentation Team know about that.