Data Encryption

Data security is an important part of the backup strategy. You can use data encryption to protect your backups from unauthorized access in object storage repositories.

Data encryption transforms data to an unreadable, scrambled format with the help of a cryptographic algorithm and a secret key. If encrypted data is intercepted, it cannot be unlocked and read by the eavesdropper. Only intended recipients who know the secret key can reverse encrypted information back to a readable format. Encryption is performed by Veeam Backup for Microsoft 365 Proxy Service before sending data to an object storage repository.

Encryption Standards

For data encryption, Veeam Backup for Microsoft 365 uses the 256-bit AES with a 256-bit key length in the CBC-mode. For more information, see Advanced Encryption Standard (AES).

To generate a secret key based on an encryption password, Veeam Backup for Microsoft 365 uses the Password-Based Key Derivation Function, PKCS #5 version 2.0. Veeam Backup for Microsoft 365 uses 10,000 HMAC-SHA256 iterations and a 512-bit salt. For more information, see Recommendation for Password-Based Key Derivation. For more information on how to configure encryption passwords in Veeam Backup for Microsoft 365, see Managing Encryption Passwords.

Encryption Algorithm

To encrypt backed-up data, Veeam Backup for Microsoft 365 employs a symmetric-key encryption algorithm.

The symmetric, or single-key encryption algorithm, uses a single, common secret key to encrypt and decrypt data. Before data is sent to an object storage repository, it is encoded with a secret key. To access encrypted data, you must have the same secret key. Users who do not have the secret key cannot decrypt data and get access to it.

Encryption Keys

An encryption key is a string of random characters that is used to bring data to a scrambled format and back to unscrambled. Encryption keys encode and decode initial data blobs or underlying keys in the key hierarchy.

Veeam Backup for Microsoft 365 uses the following types of keys:

  • Service keys generated by Veeam Backup for Microsoft 365:
  • Data key

When Veeam Backup for Microsoft 365 encrypts data, it encodes every data blob with a data key.

  • Backup key

Veeam Backup for Microsoft 365 uses backup keys to encrypt data keys. Veeam Backup for Microsoft 365 generates a backup key once you have specified or changed an encryption password. Backup keys are stored in the <repository_folder_name>/Encryption directory for each object storage repository with the enabled encryption.

  • Secret key

When you enable encryption for an object storage repository, you must specify an encryption password to protect data transferred to this repository. Veeam Backup for Microsoft 365 stores the encryption password in the product configuration database. Based on this encryption password, Veeam Backup for Microsoft 365 generates a secret key. Veeam Backup for Microsoft 365 uses a secret key to encrypt backup keys and stores it along with backup keys in the <repository_folder_name>/Encryption directory for each object storage repository with the enabled encryption.

For more information about object storage repository structure, see Object Storage Repository Structure.

Encryption Password Change

You can change the encryption password for an object storage repository. Use of different passwords helps increase the encryption security level. For more information, see Editing Object Storage Repository Settings and Managing Encryption Passwords.

Once you have changed the encryption password, Veeam Backup for Microsoft 365 generates a new secret and backup keys. The old backup key is decrypted with the old secret key, and then Veeam Backup for Microsoft 365 encrypts the old backup key with the new backup key. After that, Veeam Backup for Microsoft 365 overwrites the old encryption password and the old secret key with new values. Veeam Backup for Microsoft 365 does not store a history of changes made to encryption passwords and secret keys.

As you change the encryption password multiple times, a chain of backup keys will be created allowing Veeam Backup for Microsoft 365 to decrypt the previous backup key in the chain using the newer backup key. The most recent backup key is decrypted using the current secret key. This approach allows Veeam Backup for Microsoft 365 to decrypt your data without storing the history of changes for encryption passwords and secret keys.

How to Access Encrypted Data

Veeam Backup for Microsoft 365 allows you to add object storage repositories that already contain encrypted data. If you specify such a folder, you must enable data encryption and provide the current encryption password. Veeam Backup for Microsoft 365 will use this encryption password to obtain the current secret key and decrypt the most recent backup key. This allows Veeam Backup for Microsoft 365 to restore a chain of backup keys and access the encrypted data blobs. For more information on how to add object storage repositories, see Adding Object Storage Repositories.

In This Section

Page updated 10/29/2024

Page content applies to build 8.0.5.20