Backup files in the backup chain often need to be transformed, for example, in case you create a reverse incremental backup chain. When Veeam Backup & Replication transforms a full backup file, it writes data blocks from several restore points to the full backup file. As a result, the full backup file contains data blocks that are encrypted in different job sessions with different session keys.
To restore data from such “composed” backup file, Veeam Backup & Replication requires a bunch of session keys. For example, if the backup chain contains restore points for 2 months, Veeam Backup & Replication will have to keep session keys for a 2-month period.
In such situation, storing and handling session keys will be resource consuming and complicated. To facilitate the encryption process, Veeam Backup & Replication introduces another type of service key — a storage key.
For storage keys, Veeam Backup & Replication uses the AES algorithm. A storage key is directly associated with one restore point in the backup chain. The storage key is used to encrypt the following keys in the encryption hierarchy:
- All session keys for all data blocks in one restore point
- Metakey encrypting backup metadata
During the restore process, Veeam Backup & Replication uses one storage key to decrypt all session keys for one restore point, no matter how many session keys were used to encrypt data blocks in this restore point. As a result, Veeam Backup & Replication does not need to keep the session keys history in the configuration database. Instead, it requires only one storage key to restore data from one file.
In the encryption process, storage keys are encrypted with keys of a higher layer — user keys and optionally a public Enterprise Manager key. Cryptograms of storage keys are stored to the resulting file next to encrypted data blocks, and cryptograms of session keys and metakeys.
Storage keys are also kept in the configuration database. To maintain a set of valid storage keys in the database, Veeam Backup & Replication uses retention policy settings specified for the job. When some restore point is removed from the backup chain by retention, this restore point's storage key is also removed from the configuration database.