Step 4. Enable Data Encryption
At the Options step of the wizard, choose whether you want to encrypt backups stored in the selected blob container.
If you have selected an existing folder at the Settings step of the wizard, and if encryption is enabled for this folder at the repository level, you must provide the currently used password or an encryption key to let Veeam Backup for Microsoft Azure access this folder and add it as a backup repository. You cannot change the encryption settings while adding the repository. However, you will be able to edit the repository settings later.
To enable encryption for the backup repository, do the following:
- Click Edit Encryption Settings.
- In the Encryption settings window, set the Enable encryption toggle to On.
- Choose whether you want to use a password or an Azure Key Vault cryptographic key to encrypt the backed-up data.
- To use password encryption, select the Use password encryption option and specify a password that will be used to encrypt data.
- To encrypt data using an Azure Key Vault cryptographic key, select the Use Azure Key Vault encryption key option, choose an Azure Key Vault where the cryptographic key is stored, and then choose the necessary key.
For an Azure vault to be displayed in the list of available vaults, it must be created beforehand as described in Microsoft Docs. For a cryptographic key to be displayed in the list of available encryption keys, it must be created beforehand as described in Microsoft Docs.
If you want to use an Azure Key Vault cryptographic key for encryption at the repository level, consider the following:
If a cryptographic key is scheduled for deletion, it will acquire the Pending deletion state. In this case, Veeam Backup for Microsoft Azure will raise a warning, and, during the following 7 days, you must either change the encryption settings for the backup repository in Veeam Backup for Microsoft Azure or cancel the key deletion.