Backup Copy Job Encryption

Encryption for a backup copy job is configured in the advanced job settings. You should enable the encryption option and specify a password to protect data in backup files produced by the backup copy job.

Backup Copy Job Encryption 

The workflow of the encrypted backup copy job depends on the path for data transfer:

Direct Data Path

If you use a direct data path to transfer backups to the target backup repository, the encrypted backup copy job includes the following steps:

  1. You enable encryption for a backup copy job and specify a password.
  2. Veeam Backup & Replication generates the necessary keys to protect backup files produced by the backup copy job.
  3. Veeam Backup & Replication encrypts data blocks on the source side and transfers them to the target backup repository.
  4. On the target backup repository, encrypted data blocks are stored to a resulting backup file.

Backup Copy Job Encryption 

An encrypted backup copy job may use an encrypted backup file as a source. In this situation, Veeam Backup & Replication does not perform double encryption. The backup copy job includes the following steps:

  1. Veeam Backup & Replication decrypts data blocks of the encrypted source backup file. For the decryption process, it uses the storage key and metakeys stored in the configuration database.
  2. Veeam Backup & Replication generates the necessary keys to protect backup files produced by the backup copy job.
  3. Veeam Backup & Replication encrypts data blocks on the source side using these keys and transfers encrypted data blocks to the target backup repository.
  4. On the target backup repository, encrypted data blocks are stored to a resulting backup file.

Note

Even if encryption is disabled in the backup copy job, Veeam Backup & Replication will decrypt data blocks of the encrypted source backup files.

Backup Copy Job Encryption 

The restore process for backups produced by backup copy jobs does not differ from that for backup jobs.

Over WAN Accelerators

WAN accelerators require reading data on the target side to perform such operations as global data deduplication, backup health check and so on. For this reason, if you use WAN accelerators for backup copy jobs, the encryption process is performed on the target side.

The backup copy job processing over WAN accelerators includes the following steps:

  1. You enable encryption for a backup copy job and specify a password.
  2. Veeam Backup & Replication generates necessary keys to protect backup files produced by the backup copy job.
  3. Data blocks are passed to the target backup repository in the unencrypted format.
  4. Received data blocks are encrypted on the target site and stored to a resulting backup file in the target backup repository.

Backup Copy Job Encryption 

The restore process in this case does not differ from that for backup jobs. Veeam Backup & Replication retrieves data blocks from the backup file in the target backup repository, sends them to the source side and decrypts them on the source side.

Backup Copy Job Encryption 

When transporting data between WAN accelerators that face external networks, Veeam Backup & Replication encrypts the network traffic by default. For network traffic encryption, Veeam Backup & Replication uses the 256-bit Advanced Encryption Standard (AES). For more information, see Enabling Network Data Encryption.

Page updated 1/25/2024

Page content applies to build 12.1.1.56