Help Center
Choose product document...
Veeam Backup & Replication 9.5
User Guide for VMware vSphere

Encryption Best Practices

To guarantee the flawless process of data encryption and decryption, consider the following advice.


  1. Use strong passwords that are hard to crack or guess. Consider the following recommendations:
  1. The password must be at least 8 characters long.
  2. The password must contain uppercase and lowercase characters.
  3. The password must be a mixture of alphabetic, numeric and punctuation characters.
  4. The password must significantly differ from the password you used previously.
  5. The password must not contain any real information related to you, for example, date of birth, your pet’s name, your logon name and so on.
  1. Provide a meaningful hint for the password that will help you recall the password. The hint for the password is displayed when you import an encrypted file or tape to the backup server and attempt to unlock it.
  2. Keep passwords in the safe place. If you lose or forget your password, you will not be able to recover data from backups or tapes encrypted with this password, unless you use Enterprise Manager keys in the encryption process.
  3. Change passwords for encrypted jobs regularly. Use of different passwords helps increase the encryption security level.

Data recovery without a password and Enterprise Manager keys

  1. If you use Enterprise or Enterprise Plus Edition of Veeam Backup & Replication, connect backup servers to Veeam Backup Enterprise Manager. In this case, Veeam Backup & Replication will employ Enterprise Manager keys in the encryption process, which will let you to recover data from encrypted backups and tapes even if the password is lost or forgotten. For more information, see Decrypting Data Without Password.
  2. Create and activate new Enterprise Manager keysets regularly. When you activate a keyset, the public Enterprise Manager key is automatically propagated to backup servers connected to Veeam Backup Enterprise Manager and used for encrypted jobs on these servers.
  3. Create backup copies of Enterprise Manager keysets and keep them in a safe place. If your installation of Veeam Backup Enterprise Manager goes down for some reason, you will lose private Enterprise Manager keys. As a result, you will not be able to use the Veeam Backup Enterprise Manager functionality to recover data from backups and tapes without a password. For more information, see Decrypting Data Without Password.

Encryption for Existing Jobs

If you enable encryption for an existing job, during the next job session Veeam Backup & Replication will create a full backup file. The created full backup file and subsequent incremental backup files in the backup chain will be encrypted with the specified password.

Encryption is not retroactive. If you enable encryption for an existing job, Veeam Backup & Replication does not encrypt the previous backup chain created with this job. If you want to start a new chain so that the unencrypted previous chain can be separated from the encrypted new chain, follow this scenario:

Veeam Large Logo

User Guide for VMware vSphere

User Guide for Microsoft Hyper-V

Enterprise Manager User Guide

Veeam Cloud Connect Guide

Veeam Backup Explorers User Guide

PowerShell Reference

RESTful API Reference

Veeam Backup FREE Edition User Guide

Veeam Backup for Microsoft Office 365

Veeam ONE Documentation

Veeam Agent for Windows Documentation

Veeam Agent for Linux Documentation

Veeam Management Pack Documentation