Please note ** This article is an update from an earlier article on the same topic**
Security is always extremely important. Encryption should be used whenever possible. When using Veeam plug-in for enterprise database, you should be aware of the options for encryption and settings that can be configured.
With the latest update of Veeam, v12.1.2, the following links should help clarify encryption for Veeam Enterprise plugin backup.
Network Traffic Encryption
Starting with v12.1.2, by default, network traffic encryption is in place for Veeam plug-in backup. See the following links for detail on utilization for each plug-in. The encryption may be disabled if desired. Specific commands and steps required are illustrated with each plug-in:
Repository Encryption
Oracle - Specific encryption conditions are in place. “The Oracle Secure Backup SBT library supports RMAN encrypted backups. Veeam Plug-in does not support directly encrypted backups of Oracle databases.”
However, an alternative available to provide encryption for Oracle RMAN backup with Veeam is to utilize Oracle TDE (Transparent Data Encryption). Veeam utilization of this option is identified within the Oracle Backup Encryption documentation section in the Veeam Plug-Ins for Enterprise Applications Guide.
Oracle TDE provides administrators of the database an option to encrypt some or all of the database contents as a feature of the Oracle database management tools. Please see Oracle documentation for key information utilizing Oracle TDE.
The Veeam plug-in supports protecting data encrypted by TDE within the backup sets generated during RMAN backup jobs. Data encrypted in the Oracle database by TDE will continue to be encrypted within the backup sets generated by RMAN. The Veeam plug-in can store and retrieve those backup sets on the Veeam repositories.
Also, please see the link Access and Encryption Settings on Repositories and note item #5 for repository settings with respect to Veeam plug-in backups.
SAP HANA – Note this special variation on encryption for backup for SAP HANA – ‘Veeam plug-in supports SAP HANA integrated encryption. The encryption processes are performed on the SAP HANA side. Veeam plug-in is not involved in encryption processing.’
See the link for expanded discussion regarding how to utilize SAP HANA and its encryption with the Veeam plug-in: SAP HANA . Also note, further discussion from SAP HANA Administration Guide for Managing Data Encryption in SAP HANA.
See the link “Access and encryption Settings on Repositories” for further information regarding Veeam plug-in ability to send backups to a repository where Veeam encryption is enabled. See item #5 – ‘Veeam plug-in cannot send backups or backup copies to a backup repository where encryption is enabled. Thus, make sure that the Encrypt Backups Stored in this repository check box is not selected.’
This is not the same as the first note where using SAP HANA encryption is supported.
Microsoft SQL Server – Note a special variation on encryption for backup for Microsoft SQL Server – MS SQL Server TDE (Transparent Data Encryption) integration is supported during Veeam backup. The encryption processes are performed on the SQL Server side. Veeam Plugin is not involved in the encryption processing. Plan the protection of the encryption environment using the information in the TDE documentation. In case you lose the encryption keys, Veeam Plug-in can only provide access to the encrypted backup file.
For further information regarding Veeam Plug-ins ability to send backups to a repository where Veeam encryption is enabled. See the link for Microsoft SQL Server item #5 “Access and Encryption Settings on Repositories” ‘Veeam plug-in cannot send backups or backup copies to a backup repository where encryption is enabled. Thus, make sure that the Encrypt Backups Stored in this repository check box is not selected.’
SAP on Oracle - See IMPORTANT note information within note #5 in the Veeam plug-in configuration section - SAP on Oracle ‘Encryption must be disabled on the target backup repositories. Otherwise, backup repositories will not be listed as available.’
DB2 – Please see the link for DB2 item #5 “Access and Encryption Settings on Repositories” ‘Veeam plug-in cannot send backups or backup copies to a backup repository where encryption is enabled. Thus, make sure that the Encrypt Backups Stored in this repository check box is not selected.’