Security Considerations

General Recommendations

Follow the recommendations listed in Security Considerations in the Veeam Backup & Replication User Guide to prevent potential security issues and reduce the risk of compromising sensitive data.

For additional information on access privileges, refer to the Permissions section of this document. In addition, refer to AWS IAM Best Practices Guide for Securing AWS Resources.

Managing Access to Veeam Backup & Replication

Veeam Backup & Replication utilizes Windows for authentication and authorization into the Backup Server and Console.

You can manage and change access credentials through Local user management of the Windows Server or through Microsoft Active Directory Services (AD).

For more information on how to access Veeam Backup & Replication, refer to the Logging in to Veeam Backup & Replication section of the Veeam Backup & Replication User Guide.

Securing EBS and S3 Environment

We recommend encrypting your EBS volumes. For more information, refer to the Amazon EBS Encryption guide in the AWS Documentation.

S3 Buckets are encrypted by default. For more information on S3 encryption, refer to the Protecting Data Using Encryption guide in the AWS Documentation.

KMS and Key Rotation

Veeam Backup & Replication does not use or utilize Amazon KMS or programmatic key rotation. For more information on encryption and secrets management, refer to the Data Encryption section of the Veeam Backup & Replication User Guide.

Veeam Backup & Replication Database

One of the security concerns you must consider is protecting the Veeam Backup & Replication configuration database. The database stores credentials of user accounts required to connect to virtual servers and other systems in the backup infrastructure. All passwords stored in the database are encrypted. However, a user with administrator privileges on the backup server can decrypt the passwords, which presents a potential threat.

To secure the Veeam Backup & Replication configuration database, consider the following recommendations:

  • Restrict user access to the database. Check that only authorized users can access the backup server and the server that hosts the Veeam Backup & Replication configuration database (if the database runs on a remote server).
  • Encrypt data in configuration backups. Enable data encryption for configuration backup to secure sensitive data stored in the configuration database. For details, see Creating Encrypted Configuration Backups in the Veeam Backup & Replication User Guide.

Data Encryption

To secure data, Veeam Backup & Replication uses the following mechanisms:

  • To encrypt data blocks in backup files, Veeam Backup & Replication uses the 256-bit AES with a 256-bit key length in the CBC-mode. For more information, see Advanced Encryption Standard (AES).
  • To generate a key based on a password, Veeam Backup & Replication uses the Password-Based Key Derivation Function, PKCS #5 version 2.0. Veeam Backup & Replication uses 10,000 HMAC-SHA1 iterations and a 512-bit salt. For more information, see Recommendation for Password-Based Key Derivation.

For more information on how to encrypt your data, refer to the Data Encryption section in the Veeam Backup & Replication User Guide.

Encryption Libraries

For Linux-based components and services, Veeam Backup & Replication uses Veeam Cryptographic Module.

For Veeam Data Movers installed on Microsoft Windows-based machines, Veeam Backup & Replication also uses Veeam Cryptographic Module. For other Microsoft Windows-based components and services, Veeam Backup & Replication uses Microsoft Crypto API.

Veeam Backup & Replication uses the following cryptographic service providers:

  • Microsoft Base Cryptographic Provider. For more information, see Microsoft Docs.
  • Microsoft Enhanced RSA and AES Cryptographic Provider. For more information, see Microsoft Docs.
  • Microsoft Enhanced Cryptographic Provider. For more information, see Microsoft Docs.

If you need Veeam Cryptographic Module and Microsoft Crypto API to be compliant with the Federal Information Processing Standards (FIPS 140), enable FIPS compliance as described in FIPS Compliance in the Veeam Backup & Replication User Guide.

Veeam Backup & Replication encrypts stored credentials using the Data Protection API (DPAPI) mechanisms. For more information, see Microsoft Docs.

Page updated 1/25/2024

Page content applies to build 12.2.0.334