Encryption At Rest Amazon S3 and Disk

Userlevel 2
  • Comes here often

Veeam Backup & Recovery 9.5 (VMWare)

When setting up my Backup Jobs. “I Enable backup file encryption.” If I am correct this would mean that the file is “Encrypted at Rest” on the backup disk.

After 30 days I move this to a Amazon S3 Bucket. I have set up the Capacity Tier to “Encrypt data uploaded to object storage”. Is the Backup “Encrypted at Rest” in the S3 Bucket or do I need to turn on disk Encryption in Amazon?

Is there some documentation that explains the above scenario?


Best answer by haslund 17 March 2021, 15:55

View original


Userlevel 7
Badge +9


Do you have 9.5 U4? 

here the guide for your version  Data Encryption - Veeam Backup Guide for vSphere 9.5 U4

there are differences between the various supported versions related to cryptography

How Data Encryption Works - Veeam Backup Guide for vSphere  version 11 not 9.5

Backup Repository Encryption - Veeam Backup & Replication Best Practice Guide Version 9.5 Update 4a



Userlevel 7
Badge +14

When you enabled encryption on the backup job, it is encrypting data inside your vbk/vrb/vib backups files on your local backup storage.

The question is, what happens when you then also enable the encryption feature on the capacity tier?


Good question, I am not sure if it will just off-load the data as-is or if it will encrypt it a second time. I’ll find out. Regardless, the data uploaded will be encrypted 100%

No need to worry about additional encryption at AWS.

Userlevel 7
Badge +21

For the first point, the answer is yes that it is encrypted at rest.


I am pretty sure for point 2 that if you have the Capacity Tier set up with encryption on your SOBR that it will be encrypted in-flight and at rest without the need for encryption in Amazon.


Here is a great reference from the Best Practice site - Encryption - Veeam Backup & Replication Best Practice Guide