Step 5. Configure Encryption Settings

At the Encryption step of the wizard, you can configure the following encryption settings:

1. In the Encryption settings section, choose whether you want to encrypt specific object fields, file types or both. If you do not select any object fields or file types, this data will not be encrypted.

For an object field to be displayed in the list of available fields, both the object and the field must be added to the backup scope specified for the backup policy at step 3. For a file type to be displayed in the list of available file types, it must be included in the list of backup files and attachments added to the backup policy at step 4.

2. In the Encryption key section, choose whether you want to encrypt backed-up data using an AWS master key or a built-in master key generated by Veeam Backup for Salesforce. If you want to use an AWS master key, you must also select the region to which the key belongs.

For an AWS master key to be displayed in the list of available keys, it must be added to the selected region in an AWS account as described in AWS Documentation, and this account must be connected to Veeam Backup for Salesforce as described in section Configuring Encryption Settings. If you have not connected the AWS account beforehand, you can do it without closing the Add Backup Policy window. To do that, click Add AWS KMS Connection and follow the instructions provided in section Adding Connections.

When you complete the Add Backup Policy wizard for the first time, Veeam Backup for Salesforce does not run an encryption job, but uses data and file jobs to encrypt fields and files. Encryption jobs run only for those backup policies that have already been used to protect fields and files (meaning these items already have backups) and previously had the encryption functionality disabled. For more information on backup job types, see Viewing Backup Policy Sessions.