Encryption for Capacity Tier

Veeam Backup & Replication allows you to encrypt offloaded data. This helps you protect the data from an unauthorized access.

You can enable data encryption in the following ways:

To get benefits of both encryption levels, you can use job-level and capacity tier encryption within the same object storage. Both encryption levels allow you to keep your data from an unauthorized access, but capacity tier encryption allows you to encrypt backup chain metadata and restore points.

Job-level Encryption

Before data is offloaded to capacity tier, Veeam Backup & Replication checks if encryption is enabled in the job settings. If encryption is enabled, data encrypted by the job is not decrypted or decompressed. It is offloaded to capacity tier as is.

Capacity Tier Encryption

With the Encrypt data uploaded to object storage setting selected, the entire collection of blocks along with the metadata will be encrypted while being offloaded regardless of the jobs’ encryption settings. If you have both job-level and capacity tier encryption enabled, already encrypted backup data will be encrypted again before being uploaded to capacity tier.

If capacity tier encryption has been disabled, backup data encrypted by the job settings will be uploaded unmodified to capacity tier.


Consider the following:

  • Make sure you enable encryption when you add a capacity tier extent. Otherwise, unencrypted backups, offloaded to capacity tier, may be reused for synthetic backup creation.
  • If you enable encryption after you have already offloaded data to capacity tier, Veeam Backup & Replication will not encrypt previously offloaded backup chains.

Page updated 5/29/2024

Page content applies to build