Encryption Standards
Veeam Backup & Replication uses the following industry-standard data encryption algorithms:
Data Encryption
- To encrypt data blocks in backup files and files archived to tape, Veeam Backup & Replication uses the 256-bit AES with a 256-bit key length in the CBC-mode. For more information, see http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf.
- To generate a key based on a password, Veeam Backup & Replication uses the Password-Based Key Derivation Function, PKCS #5 version 2.0. Veeam Backup & Replication uses 10,000 HMAC-SHA1 iterations and a 512-bit salt. For more information, see http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf.
Enterprise Manager Keys
- To generate Enterprise Manager keys required for data restore without a password, Veeam Backup & Replication uses the RSA algorithm with a 4096-bit key length.
- To generate a request for data restore from a backup server, Veeam Backup & Replication uses the RSA algorithm with a 2048-bit key length.
For more information, see http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-rsa-cryptography-standard.htm.
Encryption Libraries
For Microsoft Windows-based repositories and software-based encryption for tapes, Veeam Backup & Replication uses the Windows Crypto API complying with the Federal Information Processing Standards (FIPS 140). For more information, see http://csrc.nist.gov/groups/STM/cmvp/standards.html.
Veeam Backup & Replication uses the following cryptographic service providers:
- Microsoft Base Cryptographic Provider: http://msdn.microsoft.com/en-us/library/windows/desktop/aa386980(v=vs.85).aspx
- Microsoft Enhanced RSA and AES Cryptographic Provider: http://msdn.microsoft.com/en-us/library/windows/desktop/aa386979(v=vs.85).aspx
- Microsoft Enhanced Cryptographic Provider: http://msdn.microsoft.com/en-us/library/windows/desktop/aa386986(v=vs.85).aspx
For Linux-based repositories, Veeam Backup & Replication uses a statically linked OpenSSL encryption library, without the FIPS 140 support. For more information, see http://www.openssl.org/.