Question

Encryption At Rest Amazon S3 and Disk


Userlevel 1

Veeam Backup & Recovery 9.5 (VMWare)

When setting up my Backup Jobs. “I Enable backup file encryption.” If I am correct this would mean that the file is “Encrypted at Rest” on the backup disk.

After 30 days I move this to a Amazon S3 Bucket. I have set up the Capacity Tier to “Encrypt data uploaded to object storage”. Is the Backup “Encrypted at Rest” in the S3 Bucket or do I need to turn on disk Encryption in Amazon?

Is there some documentation that explains the above scenario?


3 comments

Userlevel 6
Badge +2

For the first point, the answer is yes that it is encrypted at rest.

 

I am pretty sure for point 2 that if you have the Capacity Tier set up with encryption on your SOBR that it will be encrypted in-flight and at rest without the need for encryption in Amazon.

 

Here is a great reference from the Best Practice site - Encryption - Veeam Backup & Replication Best Practice Guide

Userlevel 7
Badge +2

When you enabled encryption on the backup job, it is encrypting data inside your vbk/vrb/vib backups files on your local backup storage.

The question is, what happens when you then also enable the encryption feature on the capacity tier?

Link: https://helpcenter.veeam.com/docs/backup/vsphere/new_capacity_tier.html?ver=110

Good question, I am not sure if it will just off-load the data as-is or if it will encrypt it a second time. I’ll find out. Regardless, the data uploaded will be encrypted 100%

No need to worry about additional encryption at AWS.

Userlevel 6
Badge +2

 

Do you have 9.5 U4? 

here the guide for your version  Data Encryption - Veeam Backup Guide for vSphere 9.5 U4

there are differences between the various supported versions related to cryptography

How Data Encryption Works - Veeam Backup Guide for vSphere  version 11 not 9.5

Backup Repository Encryption - Veeam Backup & Replication Best Practice Guide Version 9.5 Update 4a

 

gl

Comment