Storage Settings

To specify encryption settings for a backup chain created with the backup policy:

At the Storage step of the wizard, click Advanced.
Click the Storage tab.
To encrypt the content of backup files, select the Enable backup file encryption check box. In the Password field, select a password that you want to use for encryption. If you have not created the password beforehand, click Add or use the Manage passwords link to specify a new password. For more information, see Password Manager.

If the backup server is not connected to Veeam Backup Enterprise Manager, you will not be able to restore data from encrypted backups in case you lose the password. Veeam Backup & Replication will display a warning about it. For more information, see Decrypting Data Without Password.

You can select a Key Management System (KMS) server in the Password field. To do this, the KMS server must be added to Veeam Backup & Replication in advance. If you choose to use KMS keys for backup file encryption at this step of the wizard, Veeam Backup & Replication immediately starts communication with the KMS server to retrieve the encryption keys. To learn more, see Key Management System Keys.

NOTE

Consider the following:

If you plan to encrypt the content of backup files, consider the limitations listed in Data Encryption Limitations.
You must encrypt the backup policy if you want to back up data to the Veeam Data Vault storage.

Storage Settings

Data Encryption Limitations

If you plan to encrypt the content of backup files, consider the following limitations:

Data encryption settings for application backup policies configured in Veeam Backup & Replication are stored to the Veeam Backup & Replication database.

If you change a password for data encryption for an existing backup policy targeted at a Veeam backup repository without changing other backup policy settings, the process of applying the backup policy to a protected computer completes with a notification informing that the backup policy was not modified. This happens because data encryption settings for backup policies targeted at a Veeam backup repository are saved to the Veeam Backup & Replication database and are not passed to a machine with Veeam Plug-In.

If you enable or disable encryption for an existing backup created with Veeam Plug-In, during the next job session Veeam Backup & Replication will command Veeam Plug-In to create a full backup file. The created full backup file and subsequent incremental backup files in the backup chain will be encrypted with the specified password.

Encryption is not retroactive. If you enable encryption for an existing backup policy, Veeam Backup & Replication will encrypt the backup chain starting from the next restore point created with this policy.

To learn more about data encryption in Veeam Backup & Replication, see Data Encryption.