Step 4. Enable Data Encryption
At the Options step of the wizard, choose whether you want to encrypt backup files stored in the selected blob container.
If you have chosen an existing folder at the Settings step of the wizard, and if encryption is enabled for this folder at the repository level, you must provide the currently used password or encryption key to let Veeam Backup for Microsoft Azure access this folder and add it as a backup repository. You cannot change the encryption settings while adding the repository. However, you will be able to edit the repository settings later.
To enable encryption for the backup repository, do the following:
- Click the Edit encryption settings link.
- In the Encryption settings window, set the Enable encryption toggle to On.
- Choose whether you want to use a password or Azure Key Vault cryptographic key to encrypt the backed-up data.
- To use password encryption, select the Use password encryption option, and specify a password that will be used to encrypt data.
- To encrypt data using Azure Key Vault, select the Use Azure Key Vault encryption key option.
- From the Azure vault drop-down list, select an Azure Key Vault where the cryptographic key is stored. For an Azure vault to be displayed, it must be created beforehand as described in Microsoft Docs.
- From the Encryption key drop-down list, select the necessary key.
Microsoft Azure supports multiple versions for a single key. One of the versions is always marked as the current. For a cryptographic key to be displayed, it must be created beforehand as described in Microsoft Docs.
If you select to use Azure Key Vault cryptographic key for encryption on the repository level, mind the following:
If a cryptographic key is scheduled for deletion, it acquires the Pending deletion state. In this case, Veeam Backup for Microsoft Azure will rise the warning, and, during the following 7 days, you must either change the encryption settings for the backup repository in Veeam Backup for Microsoft Azure or cancel the key deletion.