Decrypting Backups

Veeam Backup & Replication automatically decrypts backup files stored in repositories either using passwords that you specify when adding these repositories to the backup infrastructure or using KMS keys automatically detected by Veeam Backup & Replication. If you do not specify decryption passwords or if Veeam Backup & Replication does not have permissions to access KMS keys, the backup files remain encrypted.

  • To decrypt backup files encrypted using a KMS key, make sure that the IAM user specified when creating a new repository or adding an existing repository is assigned permissions required to access KMS keys. For more information on the required permissions, see Permissions.
  • To decrypt backup files encrypted using a password, do the following:
  1. In the Veeam Backup & Replication console, open the Home view.
  2. Navigate to Backups > External Repository (Encrypted).
  3. Expand the backup policy that protects an AWS resource whose image-level backup you want to decrypt, select the backup chain that belongs to the resource and click Specify Password on the ribbon.

Alternatively, you can right-click the necessary backup chain and select Specify password.


To decrypt all backups created by a backup policy, right-click the policy and select Specify Password.

  1. In the Specify Password window, enter the password that was used to encrypt the data stored in the target repository.

Backup decryption