As happened in the past year (with the Veeam Backup & Replication 7 announces), Veeam is periodically announce new features and concepts about the new 8.0 suite, that will be called Veeam Availability Suite.
One of the recent announce is about the end-to-end encryption included in Veeam Backup & Replication v8. Encryption was not so new in Veeam products, considering that was introducted in the Veeam Backup & Replication Cloud Edition, but was only on data stored on the cloud provider.
In v8, you will be able to:
- Secure data at the source (during backup)
- Secure data that must stay unencrypted at target (as in case of replication or quick migration)
- Secure data in-flight (as it is transferred between Veeam components)
- Secures data at rest, with support for encryption in Backup Copy jobs, as well as hardware and software tape encryption
Encryption is a feature that is essential to some environments for compliance reasons, but using encryption introduces new recoverability risks, so our goal with this feature was to ensure data loss avoidance in today’s modern data center.
Also encryption may introduce some delay in backup and restore operation and usually is not so suitable with Instant-On or fast granular restore operations.
In v8, the encryption algorithm will be AES 256-bit. This algorithm was chosen for a couple of reasons. First of which, it is currently the gold standard of encryption. But more importantly, AES encryption is hardware accelerated by most modern processers, thus reducing impact on your backup window. The backup proxy CPU overhead from enabling encryption is still noticeable, but proxies are scalable and several optimization will be used. About the restore actually is not so clean (at least for me) which will be the impact of those kind of operation, but I expect that some kind of optimization must be perform at repository level.
The actual encryption key is stored twice in the backup file. Once, it is stored encrypted with the password that the user sets on the job. But the second copy is encrypted with the Public Key from Veeam Enterprise Manager. This means you can decrypt the encryption key by either knowing the actual password, or through the help of Veeam Enterprise Manager Administrator in a secure fashion. And could be used by some other components that need raw access to the data (like the WAN accelerator).
For more information see also the Rick Vanover’s post: Encryption coming to Veeam Availability Suite v8!