Session Keys and Metakeys

The session key is the lowest layer in the encryption key hierarchy. When Veeam Backup & Replication encrypts data, it first encodes every data block in a file with a session key. For session keys, Veeam Backup & Replication uses the AES algorithm with a 256-bit key length in the CBC-mode.

Veeam Backup & Replication generates a new session key for every job session. For example, if you have created an encrypted backup job and run 3 job sessions, Veeam Backup & Replication will produce 3 backup files that will be encrypted with 3 different session keys:

  • Full backup file encrypted with session key 1
  • Incremental backup file encrypted with session key 2
  • Incremental backup file encrypted with session key 3

Session Keys and Metakeys 

The session key is used to encrypt only data blocks in backup files or files archived to tape. To encrypt backup metadata, Veeam Backup & Replication applies a separate key — metakey. Use of a metakey for metadata raises the security level of encrypted backups.

For every job session, Veeam Backup & Replication generates a new metakey. For example, if you have run 3 job sessions, Veeam Backup & Replication will encrypt metadata with 3 metakeys.

Session Keys and Metakeys 

In the encryption process, session keys and metakeys are encrypted with keys of a higher layer — storage keys. Cryptograms of session keys and metakeys are stored to the resulting file next to encrypted data blocks. Metakeys are additionally kept in the configuration database.

Page updated 1/25/2024

Page content applies to build 12.2.0.334