Ask any IT professional about encryption, and they likely have a story where something didn’t function as expected upon recovery from an encrypted backup. But talk to any IT decision maker about encryption, and they’ll likely perk up with an interest in ensuring that every possible surface area is encrypted. Coming in Veeam Availability Suite v8, Veeam Backup & Replication v8 will now offer end-to-end encryption, and with our implementation, we will make both groups of people happy!
In v8, you will be able to:
- Secure data at the source (during backup)
- Secure data in-flight as it is transferred between Veeam components (for when data that must stay unencrypted at target, such as in case of replication or quick migration)
- Secures data at rest, with support for encryption in Backup Copy jobs, as well as hardware and software tape encryption
Encryption is a feature that is essential to some environments for compliance reasons, and we’ve heard feedback from prospects, partners as well as end-users loud and clear that this feature was much needed. But using encryption introduces new recoverability risks, so our goal with this feature was to ensure data loss avoidance in today’s modern data center.
Now that we have your attention on the topic, how do you think we’d implement it? There is rarely much value in implementing a feature in the straightforward way. This was an opportunity for us to implement encryption with a built-in safeguard from a loss of the decryption password.
How other vendors approach the issue of lost passwords? Most other products at best, will issue a warning saying that you are on your own if you lose the encryption password. This means that their support will not be able to help you recover in this event. Unfortunately, this happens quite often that passwords (or people who set them) are lost. And when this happens, you just throw your backups away. This is exactly the data loss issue we were determined to solve.
How does Veeam encryption work?
In v8, the encryption algorithm will be AES 256-bit. This algorithm was chosen for a couple of reasons. First of which, it is currently the gold standard of encryption. But more importantly, AES encryption is hardware accelerated by most modern processers, thus reducing impact on your backup window. The backup proxy CPU overhead from enabling encryption is still noticeable, but we have prepared for this back v7 by introducing the new default compression level, which is also hardware accelerated. This reduced backup proxy CPU requirements almost 10x comparing to the original default compression level.
So, how exactly do are backup files encrypted? For added security, all blocks containing VM data are encrypted by the unique encryption key that is randomly generated each and every time you run the backup job. This means you do not have to change actual encryption keys periodically, which is required according to the security best practices.
And here is where we come to the most interesting part of our implementation. The actual encryption key is stored twice in the backup file. Once, it is stored encrypted with the password that the user sets on the job. But the second copy is encrypted with the Public Key from Veeam Enterprise Manager. This means you can decrypt the encryption key by either knowing the actual password, or through the help of Veeam Enterprise Manager Administrator in a secure fashion, as I will explain further.
As product components (such as proxies, WAN Accelerators, etc.) require access to raw data from encrypted backup files, they are able to transparently decrypt the data using the job’s password stored in the configuration database. This means that you will not be repeatedly asked for a password as you are performing actions within the same backup server that created the backup. This will be very helpful when you need to quickly perform a restore! It is only when the backup file is imported into a new backup server installation when we require that you provide the password for the backup file.
The beauty of built-in
Having encryption built-in directly into the product addresses many common challenges it normally brings. First, data compression ratios are not affected, because we compress the data first, and encrypt already compressed blocks. And because our WAN Accelerators still have access to raw data as needed, the data reduction ratios of built-in WAN Acceleration are not impacted with the encryption enabled. These are very important differentiations, as the same will not be the case with 3rd party WAN accelerators, simply because all data reduction algorithms fall apart when they hit encrypted data streams.
We also give you the flexibility to determine what and when is encrypted. For example, you could opt to not encrypt local backups, but choose to encrypt the offsite backups produced by Backup Copy jobs. Conversely, you could protect a backup job with one password, and a backup copy job with another one.
The figure showing the advanced settings (on left) of a job illustrates how you can enable encryption on a backup job encrypted.
For the password management, we use the same approach as with credentials management introduced in v7. Each password can be entered only once in the Password Manager, and each job will use the password without needing to be re-entered each time. Further, if the password needs to be changed, it is changed once. The Password Manager is shown below:
So, you lost your password?
Worry not if you had loss protection enabled! In fact, this feature is enabled automatically if you have Veeam Enterprise Manager installed. Of course, if for whatever reason you do not want to leverage this capability, you will be able to disable it – in which case, the encryption key will only be stored in the backup files once, encrypted with the job’s password (and you are on your own if you lose one).
Instead of passwords, Veeam Enterprise Manager uses Public Key Infrastructure (PKI) with 4096-bit RSA keys. We provide comprehensive management of key sets. You can import existing key sets, or generate them automatically. For added security, we will also monitor the age of key sets, and prompt you to import new ones - or you can even have Veeam Enterprise Manager to auto generate those for you periodically! The key management area of Veeam Enterprise Manager is shown below:
Going back to how we designed backup file encryption, the second set of encryption keys is stored in the backup file encrypted with the Public Key that is automatically pushed by Veeam Enterprise Manager to all registered backup servers. And no, you do not have to get a hold of Private Key to perform an emergency recovery, this is done in a secure fashion. Neither the backup administrator nor the Veeam Enterprise Manager administrator is ever presented with the Private Key. Instead, we are using a Challenge/Response system.
If you need to recover a backup that you lost the password for, you will be provided with the encrypted blob of data (so called “challenge blob”) containing the information about backup file you are trying to access. This “challenge blob” will need to be emailed or Instant Messaged to the Veeam Enterprise Manager administrator. After verifying your identity and backup access privileges, Veeam Enterprise Manager administrator pastes the “challenge blob” into the Recovery Wizard in web UI, which verifies the content and issues encrypted “response blob”, which needs to be provided back to the user performing the recovery. The user then pastes the “response blob” in the restore wizard, and is able to proceed.
As the result, no human involved in the process will ever get a hold of the actual Private Key. More importantly, the given “response blob” is only good for getting access to a very specific backup file, and cannot be used to access any other backup file, making this whole process very secure.
As you can see, the data loss avoidance and ease of use were paramount in the implementation of encryption in v8. End-to-end encryption has little impact on performance, and no impact on data reduction ratios of built-in compression and WAN acceleration - but most importantly, you will be able to recover even when the encryption key is lost. Are you looking forward to this feature in v8? We’re surely excited that this feature will answer the need responsible for one of the biggest feature request - yet delivered in a unique way and with the ease of use and thoroughness you’d expect!