You can create encrypted backups that are protected with a password.
When you restore data from an encrypted backup on the same backup server, you do not have to specify a password. When you import an encrypted backup on another backup server and restore VM data from it, Veeam Backup & Replication requires a password to unlock the backup content.
In most backup products, if you do not have a password, the backup content will remain locked, and the backup will be of no use. Veeam Backup & Replication lets you decrypt encrypted backups even if you do not have a password, for example:
- The password is lost.
- The user who knows the password has left your organization or does not want to provide the password.
- A third-party organization requires you to decrypt the backup, for example, by a court decree.
To restore data without a password, you must make sure that the backup infrastructure meets the following requirements:
- The backup server that was used for backup encryption and the backup server that will be used for backup decryption must be connected to Veeam Backup Enterprise Manager.
- The backup server and Veeam Backup Enterprise Manager server must have an Enterprise or higher license installed.
In this case, Veeam Backup & Replication will engage an additional master key — Enterprise Manager key, in the encryption process. The Enterprise Manager key consists of two components: public key and private key. The public key is passed to all backup servers that are connected to Veeam Backup Enterprise Manager. The private key is kept only on the Veeam Backup Enterprise Manager server; it is used to decrypt a backup when the password is not available.
To decrypt a backup, you can specify the password or create a request to Veeam Backup Enterprise Manager. An administrator working with Veeam Backup Enterprise Manager will process the request with the Password Recovery wizard — the wizard will apply the private key matching the public key that was used for backup encryption. As a result, you will be able to access backup data in the Veeam Backup & Replication console.
- Create an encrypted backup with a backup job.
- To emulate a situation of data decryption on another Veeam backup server, remove the created backup from the Veeam Backup & Replication console and re-import the created backup back to the Veeam Backup & Replication console.
- Decrypt the backup file without a password.
- Make sure that the Veeam backup server is connected to Veeam Backup Enterprise Manager.
- Make sure that Enterprise or Enterprise Plus license is installed on the Veeam backup server. You can use a valid trial license or paid license.
To create an encrypted backup and restore data from it without a password, perform the following steps.
- In Veeam Backup & Replication, open the Home view.
- Open properties of a backup job that you have configured in the Performing Backup exercise.
- Pass to the Storage step of the wizard and click Advanced.
- In the Advanced Settings window, open the Storage tab.
- In the Encryption section, select the Enable backup file encryption check box and click Add on the right.
- In the Password field, specify a password that you want to use for the backup file encryption.
To view the specified password, click and hold the eye icon on the right of the field.
- In the Hint field, specify a hint for the password.
- Make sure that the Loss protection enabled label is displayed under the Password field. In the opposite case, you will not be able to restore data from the encrypted backup without a password.
- Save the new job settings and run the backup job once again to produce an encrypted backup file.
- When you enable encryption for an already existing backup job, Veeam Backup & Replication restarts the backup chain — it produces a new full backup. To make sure that the encrypted backup has been created, open the target folder on the backup repository, find a subfolder with the backup job name and make sure that a new VBK file is added to the backup chain.
- In Veeam Backup & Replication, open the Home view.
- In the inventory pane, select Backups > Disk.
- In the working area, right-click the backup job and select Remove from configuration.
Veeam Backup & Replication will remove records about the created backup and encryption keys from the Veeam Backup & Replication database. The actual backup files will remain on the backup repository.
- On the Home tab of the ribbon, click Import Backup.
- From the Computer list in the Import Backup window, select a backup repository where backup files are located.
- In the Backup file field, specify a path to the VBM backup file on the backup repository.
- Click OK. Veeam Backup & Replication will import the backup and place it under the Backups > Encrypted node.
- Additionally, Veeam Backup & Replication will display a warning that the backup file you import is encrypted. Click OK in the message window to close it.
- In the inventory pane, click the Disk (Encrypted) node under Backups.
- In the working area, right-click the imported job and select Specify password.
- In the Specify Password window, click the I have lost the password link.
Veeam Backup & Replication will launch the Encryption Key Restore wizard.
- In the Encryption Key Restore wizard, click Copy to clipboard to copy the displayed request for data decryption.
- Log in to Veeam Backup Enterprise Manager as Administrator.
- In the top right corner of the window, click Configuration.
- On the left, click Key Management.
- At the top of the view, click Password Recovery.
- In the Challenge Request window, paste the copied text of the request.
- Pass through the next steps of the wizard. At the Response step of the wizard, copy the displayed text to the clipboard.
- Get back to the Veeam Backup & Replication console; in the Encryption Key Restore wizard, click Next.
- At the Response step of the wizard, paste the copied response to the text field, click Next and click Finish. Veeam Backup & Replication will decrypt the backup file and move the imported backup to the Backups > Disk (imported) node.
- Open the Home view.
- Select the Disk (imported) node in the inventory pane.
- Make sure that the imported backup is available in the working area.