Veeam Backup & Replication 10
User Guide for VMware vSphere
Related documents

How Data Encryption Works

Data encryption is performed as part of backup, backup copy or archiving to tape processes. Encryption works at the source side, before data is transported to the target. Encryption keys are not passed to the target side, unless you run a backup copy job over WAN accelerators or perform health check for the encrypted backup files.

How Data Encryption Works Note:

The procedure below describes the encryption process for backup, backup copy jobs and VeeamZIP tasks. For more information about encrypting data on tapes, see Tape Encryption.

The encryption process includes the following steps:

  1. When you create a new job, you enable the encryption option for the job and enter a password to protect data at the job level.
  2. Veeam Backup & Replication generates a user key based on the entered password.
  3. When you start an encrypted job, Veeam Backup & Replication creates a storage key and stores this key to the configuration database.
  4. Veeam Backup & Replication creates a session key and a metakey. The metakey is stored to the configuration database.
  5. Veeam Backup & Replication processes job data in the following way:
  1. The session key encrypts data blocks in the backup file. The metakey encrypts backup metadata.
  2. The storage key encrypts the session key and the metakey.
  3. The user key encrypts the storage key.
  4. If you use the Enterprise or Enterprise Plus edition of Veeam Backup & Replication and the backup server is connected to Veeam Backup Enterprise Manager, the Enterprise Manager key also encrypts the storage key.
  1. Encrypted data blocks are passed to the target. The cryptograms of the public Enterprise Manager key (if used), user key, storage key, session key and metakey are stored to the resulting file next to encrypted data blocks.

If you use the Enterprise or Enterprise Plus edition of Veeam Backup & Replication and the backup server is connected to Veeam Backup Enterprise Manager, Veeam Backup & Replication saves two cryptograms of the storage key to the resulting file: one encrypted with the user key (c) and one encrypted with the Enterprise Manager key (d). Saving the cryptogram twice helps Veeam Backup & Replication decrypt the file even if a password is lost or forgotten. For more information, see How Decryption Without Password Works.

How Data Encryption Works 

This Document Help Center
User Guide for VMware vSphereUser Guide for Microsoft Hyper-VVeeam Backup Enterprise Manager GuideVeeam Agent Management GuideVeeam Cloud Connect GuideVeeam Explorers User GuideVeeam Plug-ins for Enterprise Applications GuideVeeam PowerShell ReferenceVeeam Explorers PowerShell ReferenceVeeam RESTful API ReferenceRequired Permissions for VMware vSphereQuick Start Guide for VMware vSphereQuick Start Guide for Microsoft Hyper-VVeeam ONE DocumentationVeeam Agent for Windows DocumentationVeeam Agent for Linux DocumentationVeeam Backup for AWS DocumentationVeeam Backup for Microsoft Azure DocumentationVeeam Backup for Nutanix AHV User GuideVeeam Backup for Microsoft Office 365 DocumentationVeeam Management Pack Documentation
I want to report a typo

There is a misspelling right here:


I want to let the Veeam Documentation Team know about that.