Data Encryption

By default, Azure Storage uses service-side encryption (SSE) to automatically encrypt data. For more information on Azure Storage encryption, see Microsoft Docs.

For enhanced data security, Veeam Backup for Microsoft Azure allows you to encrypt backed-up data in backup repositories using Veeam encryption mechanisms. Veeam Backup for Microsoft Azure encrypts backup files stored in backup repositories the same way as Veeam Backup & Replication encrypts backup files stored in backup repositories. To learn what algorithms Veeam Backup & Replication uses to encrypt backup files, see the Veeam Backup & Replication User Guide, section Encryption Standards.

For data encryption, Veeam Backup for Microsoft Azure uses the 256-bit Advanced Encryption Standard (AES). For more information on AES, see Advanced Encryption Standard (AES).

Note

Sensitive customer data (credentials of user accounts required to connect to virtual servers and other systems, cloud credentials, and so on) is stored in the configuration database in the encrypted format.

To enable encryption for a backup repository added to Veeam Backup for Microsoft Azure, configure the repository settings as described in section Adding Backup Repositories and choose whether you want to encrypt backed-up data using a password or an Azure Key Vault cryptographic key. After you create a backup policy and specify the backup repository as a target location for image-level backups of Azure VMs or Azure SQL databases, as described in sections Creating VM Backup Policies and Creating SQL Backup Policies, Veeam Backup for Microsoft Azure performs the following steps:

Based on the provided password or Azure Key Vault key, generates an encryption key to protect instance data stored in the backup repository, and stores the key in the configuration database on the backup appliance.
Uses the generated key to encrypt backed-up data transferred to the backup repository when running the backup policy.