Veeam Backup & Replication 11 [Archived]
User Guide for VMware vSphere
Related documents
Search
This is an archive version of the document. To get the most up-to-date information, see the current version.

Encryption Standards

Veeam Backup & Replication uses the following industry-standard data encryption algorithms:

Data Encryption

  • To encrypt data blocks in backup files, Veeam Backup & Replication uses the 256-bit AES with a 256-bit key length in the CBC-mode. For more information, see Advanced Encryption Standard (AES). This type of encryption is also supported for backup files stored in the following locations:
  • Backup files archived to tape devices. For more information, see Tape Devices Support.
  • Backup files stored in archive tier. For more information, see Archive Tier.
  • Backup files stored in capacity tier. For more information, see Capacity Tier.
  • To generate a key based on a password, Veeam Backup & Replication uses the Password-Based Key Derivation Function, PKCS #5 version 2.0. Veeam Backup & Replication uses 10,000 HMAC-SHA1 iterations and a 512-bit salt. For more information, see Recommendation for Password-Based Key Derivation.

Enterprise Manager Keys

  • To generate Enterprise Manager keys required for data restore without a password, Veeam Backup & Replication uses the RSA algorithm with a 4096-bit key length.
  • To generate a request for data restore from a backup server, Veeam Backup & Replication uses the RSA algorithm with a 2048-bit key length.

For more information, see RSA Cryptography Specifications.

Hashing Algorithms

Veeam Backup & Replication uses the following hashing algorithms:

  • For digital signature generation: SHA-256
  • For backward compatibility and certificate thumbprint generation: SHA-1
  • For HMAC generation: SHA-1
  • For random number generation: OpenSSL, cryptographic libraries provided by the operating system

Encryption Libraries

For Linux-based components and services, Veeam Backup & Replication uses Veeam Cryptographic Module.

For Veeam Data Movers installed on Microsoft Windows-based machines, Veeam Backup & Replication also uses Veeam Cryptographic Module. For other Microsoft Windows-based components and services, Veeam Backup & Replication uses Microsoft Crypto API.

Veeam Backup & Replication uses the following cryptographic service providers:

  • Microsoft Base Cryptographic Provider. For more information, see Microsoft Docs.
  • Microsoft Enhanced RSA and AES Cryptographic Provider. For more information, see Microsoft Docs.
  • Microsoft Enhanced Cryptographic Provider. For more information, see Microsoft Docs.

If you need Veeam Cryptographic Module and Microsoft Crypto API to be compliant with the Federal Information Processing Standards (FIPS 140), enable FIPS compliance as described in FIPS Compliance.

Veeam Backup & Replication encrypts stored credentials using the Data Protection API (DPAPI) mechanisms. For more information, see Microsoft Docs.

View all results across Veeam
Back to document search