Help Center
Choose product document...
Veeam Backup & Replication 9.5
User Guide for VMware vSphere

How Data Encryption Works

Data encryption is performed as part of backup, backup copy or archiving to tape processes. Encryption works at the source side, before data is transported to the target. As a result, encryption keys are not passed to the target side, which helps avoid data interception.

How Data Encryption Works Note:

The procedure below describes the encryption process for backup, backup copy jobs and VeeamZIP tasks. For more information about encrypting data on tapes, see Tape Encryption.

The encryption process includes the following steps:

  1. When you create a new job, you enable the encryption option for the job and enter a password to protect data at the job level.
  2. Veeam Backup & Replication generates a user key based on the entered password.
  3. When you start an encrypted job, Veeam Backup & Replication creates a storage key and stores this key to the configuration database.
  4. Veeam Backup & Replication creates a session key and a metakey. The metakey is stored to the configuration database.
  5. Veeam Backup & Replication processes job data in the following way:
  1. The session key encrypts data blocks in the backup file. The metakey encrypts backup metadata.
  2. The storage key encrypts the session key and the metakey.
  3. The user key encrypts the storage key.
  4. If you use Enterprise or Enterprise Plus Edition of Veeam Backup & Replication and the backup server is connected to Veeam Backup Enterprise Manager, the Enterprise Manager key also encrypts the storage key.
  1. Encrypted data blocks are passed to the target. The cryptograms of the public Enterprise Manager key (if used), user key, storage key, session key and metakey are stored to the resulting file next to encrypted data blocks.

If you use Enterprise or Enterprise Plus Edition of Veeam Backup & Replication and the backup server is connected to Veeam Backup Enterprise Manager, Veeam Backup & Replication saves two cryptograms of the storage key to the resulting file: one encrypted with the user key (c) and one encrypted with the Enterprise Manager key (d). Saving the cryptogram twice helps Veeam Backup & Replication decrypt the file even if a password is lost or forgotten. For more information, see How Decryption Without Password Works.

How Data Encryption Works 

Veeam Large Logo

User Guide for VMware vSphere

User Guide for Microsoft Hyper-V

Enterprise Manager User Guide

Veeam Cloud Connect Guide

Veeam Backup Explorers User Guide

PowerShell Reference

RESTful API Reference

Veeam Backup FREE Edition User Guide

Veeam Backup for Microsoft Office 365

Veeam ONE Documentation

Veeam Endpoint Backup Documentation

Veeam Management Pack Documentation