Data Encryption

For enhanced data security, Veeam Backup for Salesforce allows you to encrypt backed-up data (fields and files) stored in PostgreSQL databases and file repositories using an organization-specific data key that is enciphered with one of the following master keys:

• An original (built-in) Veeam Backup for Salesforce master encryption key that is automatically generated by Veeam Backup for Salesforce upon installation.

Note that in case you plan to migrate the product to another workstation, you must save the built-in data encryption key to your local machine in advance. Otherwise, you will not be able to decrypt and restore backed-up data. To learn how to save the key, see Managing Encryption Keys.

• A native Amazon Web Services Key Management Service (AWS KMS) customer-managed master encryption key.

If a customer-managed master encryption key is used to encrypt data, you must not remove this key from the related AWS account. Otherwise, you will not be able to decrypt and restore backed-up data.

How Encryption Works

Veeam Backup for Salesforce performs data encryption in one of the following ways:

• When you create a backup policy and enable data encryption, the product runs data and file jobs to encrypt data and files on the fly.
• When you edit a backup policy and enable encryption for already protected fields and files, the product runs an encryption job — either immediately or an hour later, depending on the settings that you specify. Keep in mind that for larger Salesforce organizations, encryption operations may take significant time to complete.

When the encryption process completes, Veeam Backup for Salesforce further runs data and file jobs instead of encryption jobs to encrypt the protected fields and files on the fly. For more information on types of backup jobs, see Backup Job Types.