Skip to main content

Many times we wonder what happens with encrypted VMs :thinking:, here is this great explanation of Veeam 

 

:ballot_box_with_check: Backup of Encrypted VMs

 

Veeam Backup & Replication lets you back up encrypted VMs. The backup infrastructure must meet the following requirements:

  • VM encryption instances must be preconfigured in the virtual infrastructure: you must set up the key management server, create the VM encryption policy and assign it to VMs in advance.
  • The backup proxy used for backup must be working in the Virtual appliance transport mode or Network transport mode with SSL encryption enabled.
  • The backup proxy working in the Virtual appliance transport mode must be deployed on an encrypted VM. Ensure either that you use a common Key Management Server (KMS) or that the Key Management Server clusters at both sites use common encryption keys.

:ballot_box_with_check:  Replication of Encrypted VMs

Veeam Backup & Replication lets you replicate encrypted VMs. The backup infrastructure must meet the following requirements:

  • VM encryption instances must be preconfigured in the virtual infrastructure: you must set up the key management server, create the VM encryption policy and assign it to VMs in advance.
  • The backup proxy used for backup must be working in the Virtual appliance transport mode or Network transport mode with SSL encryption enabled.
  • The backup proxy working in the Virtual appliance transport mode must be deployed on an encrypted VM. Ensure either that you use a common Key Management Server (KMS) or that the Key Management Server clusters at both sites use common encryption keys.
  • You must place disks and the configuration file of the VM replica on datastores to which the VM Encryption policy is assigned. To do this, at the Destination step of the wizard, click Datastore and select a datastore under the VM Encryption Policy.

NOTE:

Multi-OS file-level restore for encrypted VM replicas is not supported.

 

:ballot_box_with_check:  Restore of Encrypted VMs

 

Veeam Backup & Replication supports restore of encrypted VMs. You have the following restore options:

  • You can back up an encrypted VM and restore it as encrypted.
  • You can back up an encrypted VM and restore is as unencrypted.
  • You can back up an unencrypted VM and restore it as encrypted.

To let Veeam Backup & Replication successfully restore an encrypted VMs, the backup infrastructure must meet the following requirements:

  • VM encryption instances must be preconfigured in the virtual infrastructure: you must set up the key management server, create the VM encryption policy and assign it to VMs in advance.
  • The backup proxy used for restore must be working in the Virtual appliance transport mode or Network transport mode with SSL encryption enabled.
  • The backup proxy working in the Virtual appliance transport mode must be deployed on an encrypted VM. Ensure either that you use a common Key Management Server (KMS) or that the Key Management Server clusters at both sites use common encryption keys.
  • You must place VM disks on datastores to which the VM Encryption policy is assigned. To do this, at the Datastore step of the wizard, select a VM disk, click Datastore and select a datastore under the VM Encryption policy.

If a VM has several disks, you can optionally restore some disks as encrypted and some disks as unencrypted. Keep in mind, however, that the VM configuration file must always be placed on a datastore to which the VM Encryption policy is assigned.

:ballot_box_with_check:  Failback of Encrypted VMs

 

During failback, Veeam Backup & Replication lets you restore a VM as encrypted. To let Veeam Backup & Replication successfully restore an encrypted VMs, the backup infrastructure must meet the following requirements:

  • VM encryption instances must be preconfigured in the virtual infrastructure: you must set up the key management server, create the VM encryption policy and assign it to VMs in advance.
  • The backup proxy used for failback must be working in the Virtual appliance transport mode or Network transport mode with SSL encryption enabled.
  • The backup proxy working in the Virtual appliance transport mode must be deployed on an encrypted VM. Ensure either that you use a common Key Management Server (KMS) or that the Key Management Server clusters at both sites use common encryption keys.
  • You must place VM disks on datastores to which the VM Encryption policy is assigned. To do this, at the Datastore step of the wizard, select a VM disk, click Datastore and select a datastore under the VM Encryption policy.

If a VM has several disks, you can optionally restore some disks as encrypted and some disks as unencrypted. Keep in mind, however, that the VM configuration file must always be placed on a datastore to which the VM Encryption policy is assigned.

                                                                       :santa:

 

VMware has bragged about it since 6.5 but the implementation was buggy, I remember. Let me know if you or someone here gets a chance to test with vsphere 7.0 and Veeam 11.


Comment