Key Management System Keys

You can use Key Management System (KMS) keys for data encryption instead of secret keys based on a password. KMS keys are based on an asymmetric key encryption algorithm. They are managed and rotated by an external KMS server and provide a higher level of security.

You can use KMS keys to encrypt backup files on the following encryption levels:

  • Job-level encryption:
    • Backup and backup copy jobs
    • Veeam Agent backup jobs managed by Veeam Backup & Replication
    • Application backup policies managed by Veeam Backup & Replication
    • File backup jobs and object storage backup jobs
    • Transaction log backup and backup copy jobs
    • VeeamZIP jobs

For more information about job-level encryption, see Job Encryption.

Note

If you use Veeam Cloud Connect repositories as a target backup storage, you can also use KMS keys for the following jobs:

  • Backup and backup copy jobs
  • Veeam Agent backup jobs managed by Veeam Backup & Replication
  • Transaction log backup copy jobs
  • Storage-level encryption:
    • Backup repositories that store backup files created by:
  • Veeam Backup for Nutanix AHV
  • Veeam Kasten for Kubernetes
  • Veeam Plug-Ins for Enterprise Applications operating in the standalone mode

For more information about storage-level encryption for Veeam Backup & Replication additional solutions, see Encrypting Standalone Application Backups in Backup Repositories.

    • Capacity tier repositories. For more information about storage-level encryption for capacity tier repositories, see Encryption for Capacity Tier.
    • Media pools and GFS media pools. For more information about storage-level encryption for tape devices, see Tape Encryption.
    • External repositories (decryption only).

Important

The following jobs and repositories do not support data encryption with KMS keys:

  • Configuration backup jobs
  • Veeam Agent backup jobs managed by Veeam Agents
  • Backup repositories that store backup files created by Veeam Agents operating in the standalone mode

In This Section

Page updated 9/3/2025

Page content applies to build 13.0.0.4967