The session key is the lowest layer in the encryption key hierarchy. When Veeam Backup & Replication encrypts data, it first encodes every data block in a file with a session key. For session keys, Veeam Backup & Replication uses the AES algorithm with a 256-bit key length in the CBC-mode.
Veeam Backup & Replication generates a new session key for every job session. For example, if you have created an encrypted backup job and run 3 job sessions, Veeam Backup & Replication will produce 3 backup files that will be encrypted with 3 different session keys:
- Full backup file encrypted with session key 1
- Incremental backup file encrypted with session key 2
- Incremental backup file encrypted with session key 3
The session key is used to encrypt only data blocks in backup files or files archived to tape. To encrypt backup metadata, Veeam Backup & Replication applies a separate key — metakey. Use of a metakey for metadata raises the security level of encrypted backups.
For every job session, Veeam Backup & Replication generates a new metakey. For example, if you have run 3 job sessions, Veeam Backup & Replication will encrypt metadata with 3 metakeys.
In the encryption process, session keys and metakeys are encrypted with keys of a higher layer — storage keys. Cryptograms of session keys and metakeys are stored to the resulting file next to encrypted data blocks. Metakeys are additionally kept in the configuration database.