• EN

Veeam Backup & Replication v12.1 and Fortanix KMS Integration

  • 6 December 2023
  • 1 comment
  • 299 views
cioffix
Badge

 

Why

A Key Management Service (KMS) is a system or platform that securely stores, manages, and backs up cryptographic keys. These keys are used for encrypting and decrypting data, as well as for digital signatures. Key Management Services are crucial for organizations that deal with a large number of digital keys and certificates. They help ensure the security and integrity of sensitive information by providing a centralized and secure way to manage cryptographic keys. Without a proper key management service, organizations may face challenges in locating and managing their keys, which can lead to security vulnerabilities. A Key Management Service is an essential component of a robust security strategy, ensuring the secure and efficient management of cryptographic keys and sensitive data.

Fortanix

The Key Management Service by Fortanix Data Security Manager facilitates unified management of keys, encryption, tokenization, and secrets management across multi-cloud and hybrid infrastructures. Key Management Service (KMS) with HSM grade security allows organizations to securely generate, store, and use crypto keys, certificates, and secrets. It provides control and visibility into your key management operations using a centralized web-based UI with enterprise level access controls and single sign-on support. Fortanix also supports multi-geo deployment and is built to scale horizontally and vertically, with automated load balancing, fault tolerance, disaster recovery, and high availability. Business critical apps can integrate using traditional crypto interfaces or restful APIs. All of it secured with Intel SGX—built for cloud scale and resiliency.

Veeam uses Fortanix DSM to generate, store and provide authorized access to data encryption keys. Veeam communicates with the Fortanix DSM using the KMIP standard to allow authorized use of these keys. Using Fortanix DSM with Veeam provides additional security for your data, ensuring that the data encryption keys can only be used with authorized access.

Veeam Cloud Native and KMS

In our native Cloud Products, Veeam Backup for AWS with AWS KMS Keys, Veeam Backup for Microsoft Azure with Azure Key Vault and Veeam Backup for Google Cloud with Google Cloud Key Management Service You can use integrated KMS Services already since a while.

Example Integration in Veeam backup for AWS as an Example:

Veeam Backup for AWS allows you to enable encryption at the repository level. Veeam Backup for AWS encrypts backup files stored in backup repositories. To enable encryption first add the AWS Key management Service to Fortanix DSM.

 

For a backup repository added to Veeam Backup for AWS, configure the repository settings and choose you want to encrypt data using a KMS encryption key.

Enable Encryption for…

AWS: https://helpcenter.veeam.com/docs/vbaws/guide/encryption_aws_cmks.html?ver=70

Microsoft Azure: https://helpcenter.veeam.com/docs/vbazure/guide/repository_ui_encryption.html?zoom_highlight=key&ver=60

Google Cloud: https://helpcenter.veeam.com/docs/vbgc/guide/storage_bucket_encryption.html?ver=50

 

 

New in Veeam Backup & Replication v12.1

With Veeam Backup & Replication v12.1 (VBR) release, KMS is integrated in our on-Premise Solution. By using the KMIP Protocol Veeam integrates with On-Premise or SaaS Solutions of KMS Server.

 

Certificates

Server Certificate: This is the server certificate, the leaf certificate of any cloud SaaS region. You can download the current certificate from a web browser by clicking the padlock icon.

Client Certificate: Veeam Backup and Replication can use the private_key_certificate.pem  only in PKCS#11 format. Fortanix cannot use the public_certificate in PKCS#11. When generating a certificate for private and public in PKCS#8 format, You have to transform the private key to PKCS#11 for VBR, then create .pfx for private+public and use it in VBR.

Create the Certificate in Fortanix UI

 

Implementing Server and Client Certificates:

 

Add KMS Server and upload converted Server and Client Certificates:

 

Supported Job Types

After having added the KM Server and respective Certificates, You can use Fortanix KMS Encryption in the Job Configuration Window.

Within Veeam Backup & Replication we use the Fortanix Key Management Services to encrypt our Backups.

Supported backup Types: Backup Jobs, Backup Copy Jobs, NAS Backup, Log Backup, Managed by Server Agent Backups, Repository Encryption (RHV, AHV, Kasten) + external Repositories, Cloud Connect, Capacity Tier and Tapes.

 

For any questions, just reach out to me.

 

 

1 comment

TylerJurgens
Userlevel 7
Badge +6

Can you update your post to have links/pictures publicly available? 

 

Very interesting read, thank you for posting! Looking forward to digging into this more.

Tyler Jurgens | Cloud Infrastructure Engineer | Veeam Legend x2 | vExpert ** | VMSP/VMTSP | VCP-2020 | VSP/VTSP | Tanzu Vanguard | VMUG Calgary Leader | VUG Canada Leader | https://explosive.cloud | @Tyler_Jurgens | BlueSky: @tylerjurgens.bsky.social

Comment


Terms & Conditions