When, Why, and How to Encrypt Your Veeam Backups

Backups should be encrypted whenever they contain any data that is important to an organization and there is any chance that the data could be accessed by non-authorized entities.  This usually means that all backups on tape should always be encrypted!

Considerations for why to encrypt

Backups should be encrypted whenever data will be or might be at risk.  Situations where this could happen include:

  • When media will be out of your hands (courier, briefcase, shipping)
  • When media could be misdirected (theft of tapes, remote site security breach)
  • When the backup data could be captured while replicating over a WAN link

If the backups end up in the wrong hands, it is not a difficult process to access the data.  This could cause considerable issues for your organization.

Considerations for when to encrypt

In addition to security concerns, encrypting backups can be a consideration for deduplication or replication performance.  A review of the devices and connections, as well as the procedures, will dictate where and how backups are encrypted to create the least impact while ensuring the data is protected.  Some items to consider:

  • Traffic shaping appliances to optimize WAN performance may see encrypted backups as all new data with a significant degradation or even elimination of dedupe.
  • Some hardware dedupe appliances will not be able to dedupe encrypted data, depending on where it was encrypted and how they handle the encrypted data.  In this case, it would be much better to encrypt at the appliance, if that is an option, instead of in the backup software unless they are very tightly integrated.
  • When the backups are written to disk and in the same data center, there may not be a need to encrypt the data since the original data is in the same location.  However, encryption might be justified if there are concerns that a physical theft of a resource that contains sensitive information could occur.

How to encrypt Veeam backups

Encryption of any data written to tape should be part of your backup procedure and the design of your backup environment should include securing the data whenever there is a risk to it.  This should also include backing up to USB drives that may be stored off site, and can be easily stolen, or backup replication jobs to another site or cloud provider.  Note:

  • Veeam can be set to encrypt during backup jobs or backup copy jobs under the storage menu
  • Veeam tape encryption is under the options menu

If you would like a review of your backup environment and procedures or assistance in improving your overall security posture, email info@peters.com.  We are happy to help!

By | 2018-09-26T14:06:41+00:00 September 7th, 2018|IT Advisory Services|0 Comments

About the Author:

As the Storage Architect at Peters & Associates Dan is responsible for SAN and Backup design leadership as well as mentoring and troubleshooting guidance. He has many years of heterogeneous system integration with multiple hardware and software vendors. Dan has over three decades of experience working at Peters & Associates He has experience with SANs from multiple vendors on various infrastructures, primarily Fibre Channel and iSCSI. He has experience with multiple backup software products using various hardware platforms including DR, replication and cloud. Dan is also involved in providing optimal designs and sizing to support virtualizing mission critical applications on multiple virtualization platforms including VMware and Hyper-V.

Leave A Comment