Encryption Standards

In this article

    Veeam Backup & Replication uses the following industry-standard data encryption algorithms:

    Data Encryption

    • To encrypt data blocks in backup files and files archived to tape, Veeam Backup & Replication uses the 256-bit AES with a 256-bit key length in the CBC-mode. For more information, see Advanced Encryption Standard (AES).
    • To generate a key based on a password, Veeam Backup & Replication uses the Password-Based Key Derivation Function, PKCS #5 version 2.0. Veeam Backup & Replication uses 10,000 HMAC-SHA1 iterations and a 512-bit salt. For more information, see Recommendation for Password-Based Key Derivation.

    Enterprise Manager Keys

    • To generate Enterprise Manager keys required for data restore without a password, Veeam Backup & Replication uses the RSA algorithm with a 4096-bit key length.
    • To generate a request for data restore from a backup server, Veeam Backup & Replication uses the RSA algorithm with a 2048-bit key length.

    For more information, see RSA Cryptography Specifications.

    Hashing Algorithms

    Veeam Backup & Replication uses the following hashing algorithms:

    • For digital signature generation: SHA-256
    • For backward compatibility and certificate thumbprint generation: SHA-1
    • For HMAC generation: SHA-1
    • For random number generation: OpenSSL, cryptographic libraries provided by the operating system

    Encryption Libraries

    For Linux-based components and services, Veeam Backup & Replication uses Veeam Cryptographic Module.

    For Veeam Data Movers installed on Microsoft Windows-based machines, Veeam Backup & Replication also uses Veeam Cryptographic Module. For other Microsoft Windows-based components and services, Veeam Backup & Replication uses Microsoft Crypto API.

    Veeam Backup & Replication uses the following cryptographic service providers:

    • Microsoft Base Cryptographic Provider. For more information, see Microsoft Docs.
    • Microsoft Enhanced RSA and AES Cryptographic Provider. For more information, see Microsoft Docs.
    • Microsoft Enhanced Cryptographic Provider. For more information, see Microsoft Docs.

    If you need Veeam Cryptographic Module and Microsoft Crypto API to be compliant with the Federal Information Processing Standards (FIPS 140), enable FIPS compliance as described in FIPS Compliance.

    Veeam Backup & Replication encrypts stored credentials using the Data Protection API (DPAPI) mechanisms. For more information, see Microsoft Docs.