Cloud KMS Encryption

In this article

    Veeam Backup for GCP allows you to back up and restore data of VM instances whose persistent disks are encrypted with Google Cloud KMS CMEKs. Additionally, you can encrypt unencrypted data and change CMEKs used to encrypt data when performing the following operations:

    Depending on the operation performed for a VM instance that has encrypted persistent disks, the IAM role that Veeam Backup for GCP uses for the operation may require specific permissions to access Google Cloud KMS resources:

     

    Note

    When you add a project to the Veeam Backup for GCP infrastructure, you specify a service account that will be used to access the project. Veeam Backup for GCP automatically grants this service account all the necessary IAM role permissions required to perform data protection and disaster recovery operations with GCP resources. You can view and modify the list of granted permissions on the IAM page in the Google Cloud Console. For more information, see Google Cloud documentation.

    Creating Cloud-Native Snapshots

    The process of creating cloud-native snapshots of a VM instance with encrypted persistent disks does not differ from the same process for a VM instance with unencrypted persistent disks. The IAM role used to encrypt the created snapshots does not require any additional permissions — Veeam Backup for GCP encrypts these snapshots with the same CMEKs with which persistent disks of the source VM instance are encrypted.

    Creating Image-Level Backups

    The process of creating image-level backups of a VM instance with encrypted persistent disks does not depend on the location where the worker instance processing the VM instance data is launched. Regardless of whether the worker instance is launched in the same GCP project where the source VM instance belongs, Veeam Backup for GCP performs the following steps:

    1. Takes a cloud-native snapshot of the VM instance.
    2. Creates persistent disks from the snapshot.

    To encrypt the created disks, Veeam Backup for GCP requires permissions of an IAM role that can access the CMEK with which you want to encrypt these disks.

    1. Attaches the created persistent disks to the worker instance to read and further transfer the backed-up data to a backup repository.

    The IAM role used to encrypt the backed-up data requires permissions to access CMEKs with which persistent disks of the source VM instance are encrypted.

    1. Removes the worker instance from the GCP environment.

     

    Note

    Every time before creating persistent disks from a cloud-native snapshot, Veeam Backup for GCP checks whether the total size of pd-standard disks breaches the zone quota for the project where the worker instance is launched. If the difference between the quota and the total disk size exceeds 4000 GB, Veeam Backup for GCP temporarily attaches an additional empty disk to the worker instance — but only for the duration of the backup process. This allows Veeam Backup for GCP to speed up the data transfer to reduce your backup costs.

    Restoring from Cloud-Native Snapshots

    The process of restoring a VM instance from an encrypted cloud-native snapshot does not differ depending on the location where the restored VM instance will reside. Regardless of whether the VM instance will be restored to the same GCP project where the cloud-native snapshot resides, Veeam Backup for GCP performs the following steps:

    1. Creates persistent disks from the image-level backup.

    To encrypt the created disks, Veeam Backup for GCP requires permissions of an IAM role that can access the CMEK with which you want to encrypt these disks.

    1. Creates a VM instance in the target location.
    2. Attaches the created persistent disks with the restored data to the VM instance.

    Restoring from Image-Level Backups

    The process of restoring a VM instance with encrypted persistent disks from an image-level backup does not differ depending on the location where the worker instance processing the VM instance data is launched. Regardless of whether the worker instance is launched in the same GCP project where the restored VM instance will reside, Veeam Backup for GCP performs the following steps:

    1. Creates persistent disks from the snapshot, and attaches the disks to the worker instance to read and further restore the backed-up data to a target location.

    To encrypt the created disks, Veeam Backup for GCP requires permissions of an IAM role that can access the CMEK with which you want to encrypt these disks.

    1. Takes cloud-native snapshots of the persistent disks with the restored data.
    2. Creates a VM instance in the target location.
    3. Creates persistent disks from the snapshots, and attaches the disks to the VM instance.

    To encrypt the created disks, Veeam Backup for GCP requires permissions of an IAM role that can access the CMEK with which you want to encrypt these disks.

    1. Removes the worker instance from the GCP environment.

     

    Note

    Every time before creating persistent disks from a cloud-native snapshot, Veeam Backup for GCP checks whether the total size of pd-standard disks breaches the zone quota for the project where the worker instance is launched. If the difference between the quota and the total disk size exceeds 1500 GB, Veeam Backup for GCP temporarily attaches an additional empty disk to the worker instance — but only for the duration of the restore process. This allows Veeam Backup for GCP to speed up the data transfer to reduce your restore costs.