Step 6. Enable Data Encryption
At the Encryption step of the wizard, choose whether you want to encrypt backups stored in the created repository.
After you create a repository with encryption enabled, you can no longer disable encryption for this repository. However, you will be able to change encryption settings as described in section Editing Repositories.
If you select the Enable backup file encryption check box, also choose whether you want to use a password or an AWS Key Management Service (KMS) key to encrypt the backed-up data:
- To encrypt data using an AWS KMS key, select the Perform AWS encryption with the following KMS key option and choose the necessary KMS key from the drop-down list.
For a KMS key to be displayed in the list of available encryption keys, it must be created in AWS Region where the selected Amazon S3 bucket is located, and the IAM role specified to access the bucket must have permissions to the key. For more information on permissions required for the IAM role, see the Veeam Backup for AWS User Guide, section Repository IAM Role Permissions.
- To encrypt data using a password, select the Perform Veeam encryption with the following password option and choose the necessary password from the drop-down list.
For a password to be displayed in the list of available passwords, it must be added to Veeam Backup & Replication as described in the Veeam Backup & Replication User Guide, section Creating Passwords. If you have not added the password beforehand, you can do it without closing the wizard. To add the password, click either the Manage passwords link or the Add button, and specify a hint and the password in the Password window.
If you select the Perform AWS encryption with the following KMS key option, consider the following: