Key Management System Keys

Starting from Veeam Backup & Replication 12.1 (build 12.1.0.2131), you can encrypt backup files with Key Management System (KMS) keys based on an asymmetric key encryption algorithm. These keys are managed and rotated by an external KMS server. This mechanism provides a more secure environment in comparison with password-based keys which use a symmetric key encryption algorithm and are managed manually by the administrator.

You can use KMS keys to encrypt backup files on the following encryption levels:

  • Job-level encryption:
    • Backup and backup copy jobs
    • Veeam Agent backup jobs managed by Veeam Backup & Replication
    • File backup jobs and object storage backup jobs
    • Transaction log backup and backup copy jobs
    • VeeamZIP jobs

For more information about job-level encryption, see Storage Settings.

Note

If you use Veeam Cloud Connect repositories as a target backup storage, you can also use KMS keys for the following jobs:

  • Backup and backup copy jobs
  • Veeam Agent backup jobs managed by Veeam Backup & Replication
  • Transaction log backup copy jobs
  • Storage-level encryption:
    • Backup repositories that store backup files created by:
  • Veeam Backup for Nutanix AHV
  • Veeam Backup for RHV
  • Veeam Backup for Kasten K10

For more information about storage-level encryption for Veeam Backup & Replication additional solutions, see Managing Permissions of Backup Repositories.

    • Capacity tier repositories. For more information about storage-level encryption for capacity tier repositories, see Encryption for Capacity Tier.
    • Media pools and GFS media pools. For more information about storage-level encryption for tape devices, see Tape Encryption.
    • External repositories (decryption only).

Important

The following jobs and repositories do not support data encryption with KMS keys:

  • Configuration backup jobs
  • Veeam Agent backup jobs managed by Veeam Agents
  • Backup repositories that store backup files created by Veeam Agents operating in the standalone mode

In This Section

Page updated 1/26/2024

Page content applies to build 12.1.1.56