Step 6. Enable Data Encryption
At the Encryption step of the wizard, choose whether you want to encrypt backups stored in the created repository.
After you create a repository with encryption enabled, you can no longer disable encryption for this repository. However, you will be able to change the encryption settings as described in section Editing Backup Repository Settings.
If you select the Enable backupfile encryption check box, also choose whether you want to use a password or an AWS Key Management Service (KMS) key to encrypt the backed-up data:
- To encrypt data using an AWS KMS key, select the Perform AWS encryption with the following KMS key option and choose the necessary KMS key from the drop-down list.
For a KMS key to be displayed in the list of available encryption keys, it must be created in the AWS Region where the selected Amazon S3 bucket is located, and the IAM role specified to access the bucket must have permissions to access the key. For more information on permissions required for the IAM role, see Repository IAM Role Permissions.
For Veeam Backup & Replication to be able to decrypt data stored in the repository, the IAM user specified at step 3 of the wizard must have permissions to access KMS keys. For more information on the required permissions, see Plug-in Permissions.
- To encrypt data using a password, select the Perform Veeam encryption with the following password option and choose the necessary password from the drop-down list.
For a password to be displayed in the list of available passwords, it must be added to Veeam Backup & Replication as described in the Veeam Backup & Replication User Guide, section Creating Passwords. If you have not added the password beforehand, you can do it without closing the wizard. To add the password, click either the Manage passwords link or the Add button, and specify a hint and the password in the Password window.
If you select the Perform AWS encryption with the following KMS key option, consider the following: