Cloud KMS Encryption

In this article

    Veeam Backup for Google Cloud allows you to back up and restore data of encrypted Cloud SQL instances and VM instances whose persistent disks are encrypted with Google Cloud KMS CMEKs. Additionally, you can encrypt unencrypted data and change CMEKs used to encrypt data when performing the following operations:

    Depending on the operation performed for an encrypted Cloud SQL instance or a VM instance that has encrypted persistent disks, the IAM role that Veeam Backup for Google Cloud uses for the operation may require specific permissions to access Google Cloud KMS resources:

    Note

    When you add a project to the Veeam Backup for Google Cloud infrastructure, you specify a service account that will be used to access the project. Veeam Backup for Google Cloud automatically grants this service account all the necessary IAM role permissions required to perform data protection and disaster recovery operations with Google Cloud resources. You can view and modify the list of granted permissions on the IAM page in the Google Cloud Console. For more information, see Google Cloud documentation.

    Creating Cloud-Native Snapshots

    The process of creating cloud-native snapshots of an encrypted Cloud SQL instance or a VM instance with encrypted persistent disks does not differ from the same process for an unencrypted Cloud SQL instance or a VM instance with unencrypted persistent disks. The IAM role used to encrypt the created snapshots does not require any additional permissions — Veeam Backup for Google Cloud encrypts these snapshots with the same CMEKs with which the source Cloud SQL instance or persistent disks of the source VM instance are encrypted.

    Creating Image-Level Backups

    The process of creating image-level backups of an encrypted Cloud SQL instance or a VM instance with encrypted persistent disks does not depend on the location where the worker instance processing the data is deployed. Regardless of whether the worker instance is deployed in the same Google Cloud project where the source Cloud SQL or VM instance belongs, Veeam Backup for Google Cloud performs the following steps:

    1. Takes a cloud-native snapshot of the Cloud SQL instance.
    2. Exports databases, triggers, stored procedures and users of the Cloud SQL instance to a storage bucket to read and further transfer the backed-up data to a backup repository.

    The IAM role used to encrypt the backed-up data requires permissions to access CMEKs with which the source Cloud SQL instance is encrypted.

    1. Removes the worker instance from the Google Cloud environment.
    1. Takes a cloud-native snapshot of the VM instance.
    2. Creates persistent disks from the snapshot.

    To encrypt the created disks, Veeam Backup for Google Cloud requires permissions of an IAM role that can access the CMEK with which you want to encrypt these disks.

    1. Attaches the created persistent disks to the worker instance to read and further transfer the backed-up data to a backup repository.

    The IAM role used to encrypt the backed-up data requires permissions to access CMEKs with which persistent disks of the source VM instance are encrypted.

    1. Removes the worker instance from the Google Cloud environment.

    Note

    Every time before creating persistent disks from a cloud-native snapshot, Veeam Backup for Google Cloud checks whether the total size of pd-standard disks breaches the zone quota for the project where the worker instance is deployed. If the total disk size is less than 4000 GB, Veeam Backup for Google Cloud temporarily attaches an additional empty disk to the worker instance — but only for the duration of the backup process and if the quota allows attaching the disk. This allows Veeam Backup for Google Cloud to speed up the data transfer to reduce your backup costs.

    Restoring from Cloud-Native Snapshots

    The process of restoring a Cloud SQL or VM instance from an encrypted cloud-native snapshot does not differ depending on the location where the restored instance will reside. Regardless of whether the Cloud SQL or VM instance will be restored to the same Google Cloud project where the cloud-native snapshot belongs, Veeam Backup for Google Cloud performs the following steps:

    1. Creates a Cloud SQL instance in the target location.

    To encrypt the created instance, Veeam Backup for Google Cloud requires permissions of an IAM role that can access the CMEK with which you want to encrypt this instance.

    1. Exports databases, triggers, stored procedures and users of the Cloud SQL instance to a storage bucket to further import the data to the Cloud SQL instance.
    1. Creates persistent disks from the cloud-native snapshot.

    To encrypt the created disks, Veeam Backup for Google Cloud requires permissions of an IAM role that can access the CMEK with which you want to encrypt these disks.

    1. Creates a VM instance in the target location.
    2. Attaches the created persistent disks with the restored data to the VM instance.

    Restoring from Image-Level Backups

    The process of restoring an encrypted Cloud SQL instance or a VM instance with encrypted persistent disks from an image-level backup does not differ depending on the location where the worker instance processing the data is deployed. Regardless of whether the worker instance is deployed in the same Google Cloud project where the restored Cloud SQL or VM instance will belong, Veeam Backup for Google Cloud performs the following steps:

    1. Creates a Cloud SQL instance in the target location.

    To encrypt the created instance, Veeam Backup for Google Cloud requires permissions of an IAM role that can access the CMEK with which you want to encrypt this instance.

    1. Exports databases, triggers, stored procedures and users of the Cloud SQL instance to a storage bucket to further import the data to the Cloud SQL instance.
    2. Removes the worker instance from the Google Cloud environment.
    1. Creates persistent disks from the image-level backup, and attaches the disks to the worker instance to read and further restore the backed-up data to a target location.

    To encrypt the created disks, Veeam Backup for Google Cloud requires permissions of an IAM role that can access the CMEK with which you want to encrypt these disks.

    1. Takes cloud-native snapshots of the persistent disks with the restored data.
    2. Creates a VM instance in the target location.
    3. Creates persistent disks from the snapshots, and attaches the disks to the VM instance.

    To encrypt the created disks, Veeam Backup for Google Cloud requires permissions of an IAM role that can access the CMEK with which you want to encrypt these disks.

    1. Removes the worker instance from the Google Cloud environment.

    Note

    Every time before creating persistent disks from a cloud-native snapshot, Veeam Backup for Google Cloud checks whether the total size of pd-standard disks breaches the zone quota for the project where the worker instance is deployed. If the total disk size is less than 1500 GB, Veeam Backup for Google Cloud temporarily attaches an additional empty disk to the worker instance — but only for the duration of the restore process and if the quota allows attaching the disk. This allows Veeam Backup for Google Cloud to speed up the data transfer to reduce your restore costs.