In some cases, a password required for data decryption may be lost or forgotten, or a user who knows the password may leave your organization. As a result, you cannot recover data from backups or tapes encrypted with this password, and encrypted data becomes unusable.
Veeam Backup & Replication offers you a way to restore encrypted data even if you do not have a password. For this purpose, Veeam Backup & Replication employs an additional pair of keys in the encryption process — Enterprise Manager keys.
Enterprise Manager keys is a pair of matching RSA keys: a public key and a private key. The public Enterprise Manager key is used to encrypt data, while the private Enterprise Manager key is used to decrypt data encrypted with the public key.
In the encryption process, Enterprise Manager keys perform a role similar to the user key: the public Enterprise Manager key encrypts storage keys and the private Enterprise Manager key decrypts them. Technically, Enterprise Manager keys offer an alternative to the user key. When you create an encrypted backup file or archive encrypted data to tape, Veeam Backup & Replication encrypts storage keys with two types of keys simultaneously:
- User key
- Public Enterprise Manager key
When you decrypt a file and the password is lost, Veeam Backup & Replication cannot derive the user key from the password. In this situation, you can send a request to Veeam Backup Enterprise Manager. Veeam Backup Enterprise Manager will employ the private Enterprise Manager key instead of the user key to unlock storage keys and decrypt the file content. For more information, see How Decryption Without Password Works.
Enterprise Manager keys take part in the encryption process if the following two conditions are met:
- You have Enterprise or Enterprise Plus Edition of Veeam Backup & Replication.
- You have Veeam Backup Enterprise Manager installed and your backup servers are connected to Veeam Backup Enterprise Manager.
Enterprise Manager keys make up a pair of matching keys – a keyset. Enterprise Manager keysets are created and managed on the Veeam Backup Enterprise Manager server. During installation of Veeam Backup Enterprise Manager, the setup automatically generates a new keyset containing a public Enterprise Manager key and a private Enterprise Manager key. You can use Veeam Backup Enterprise Manager to create new Enterprise Manager keysets, activate them, import and export keysets and specify retention for their lifetime.
The public Enterprise Manager key is made publicly available to backup servers. When you connect backup servers to Veeam Backup Enterprise Manager, the public Enterprise Manager key is automatically propagated to these backup servers.
Veeam Backup Enterprise Manager acts as a manager for public Enterprise Manager keys but does not store these keys. After the public Enterprise Manager key is propagated to the backup server, it is kept in the configuration database.
Private Enterprise Manager keys, on the contrary, are not distributed anywhere: they are kept only on Veeam Backup Enterprise Manager.