Skip to main content
Answer

SOBR capacity tier encryption - who does the job?

  • July 18, 2024
  • 19 comments
  • 125 views
Michael Melter
Forum|alt.badge.img+12

One option to have encrypted date in the capacity tier is to enable capacity tier encryption.

Encryption for Capacity Tier - User Guide for VMware vSphere (veeam.com)

Question is: who exactly does this encryption?

I always assumed the gateway server is used for offloading. But helpcenter isn’t specific here. 

Elsewhere helpcenter states that the encryption will be done “at source” - which in that case would be the repo extent server of the performance tier.

Who can provide evidence here? 

Thanks,

Michael

 

Best answer by tim.hudson

@tim.hudson @SSimpson -- Are you guys able to confirm the answer for Michael?

Yeah!  Chris you were right all along.  The Gateway server for a given object server handles the read/write activity from Veeam → Repo.  This means it will be the server that handles encrypting backup data before it lands on the target repository.

 

In direct mode the Proxy / Agent (if VAW/VAL/etc.) will be the system that performs the encryption of backup data before delivering to repository.

Michael Melter - #VeeamLegend #veeam100 | VMCT | VMCE9 | VMCE2020 | VMCE2023 | VMCE2021 | VMCAv1 | VMCA2022 | VMCA2024 | VCP | MCP | DCIE | PhD | VDST TL3
    Chris.Childerhose
    coolsport00
    dloseke

    19 comments

    Chris.Childerhose
    Forum|alt.badge.img+21

    I am going to assume (need to verify) that the Gateway selected for the Object Repository that you add to the SOBR would be the one that does the offloading and encryption.  But let me try to confirm this.

    Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
    T
    Chris.Childerhose
    Forum|alt.badge.img+21

    Now if direct mode then I believe it is any server that can access the Object storage would do the offloading and encryption.

    Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
    dloseke
    Chris.Childerhose
    Forum|alt.badge.img+21

    Some further information about encryption -

    Offloading to Capacity Tier Object Storage - Where To Encrypt? (veeam.com)

    Backup Repository Encryption | Veeam Backup & Replication Best Practice Guide

    This is from this forum post - SOBR Capacity Tier encryption? - R&D Forums (veeam.com)

     
     
     
    Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
    dloseke
    Michael Melter
    Forum|alt.badge.img+12

    Some further information about encryption -

    Offloading to Capacity Tier Object Storage - Where To Encrypt? (veeam.com)

    Backup Repository Encryption | Veeam Backup & Replication Best Practice Guide

    This is from this forum post - SOBR Capacity Tier encryption? - R&D Forums (veeam.com)

    Thanks, @Chris.Childerhose 

    I went through all of them already. Neither one states where exactly the compute will be consumed. Only another reference to “at source” can be found. 

    So any evidence who exactly does capacity tier encryption would be appreciated. 😊

    I would say the gateway server is probably 90% safe to be responsible.

    Michael Melter - #VeeamLegend #veeam100 | VMCT | VMCE9 | VMCE2020 | VMCE2023 | VMCE2021 | VMCAv1 | VMCA2022 | VMCA2024 | VCP | MCP | DCIE | PhD | VDST TL3
    Chris.Childerhose
    Chris.Childerhose
    Forum|alt.badge.img+21

    Some further information about encryption -

    Offloading to Capacity Tier Object Storage - Where To Encrypt? (veeam.com)

    Backup Repository Encryption | Veeam Backup & Replication Best Practice Guide

    This is from this forum post - SOBR Capacity Tier encryption? - R&D Forums (veeam.com)

    Thanks, @Chris.Childerhose 

    I went through all of them already. Neither one states where exactly the compute will be consumed. Only another reference to “at source” can be found. 

    So any evidence who exactly does capacity tier encryption would be appreciated. 😊

    I would say the gateway server is probably 90% safe to be responsible.

    Yeah I am thinking when the offloading task runs whichever server is chosen as the “Gateway” server would be the one doing the encryption.

    Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
    dloseke
    Michael Melter
    Forum|alt.badge.img+12

     

    Yeah I am thinking when the offloading task runs whichever server is chosen as the “Gateway” server would be the one doing the encryption.

    If anyone could find proof for it…

    Downside would be, that data in transit internally BEFORE the offloading (extent->gw-srv) would be NOT be encrypted unless you also request in-flight encryption in network options. So there’s also pro points for encrypting directly on the repo-extent in the first place (=@source).

    Michael Melter - #VeeamLegend #veeam100 | VMCT | VMCE9 | VMCE2020 | VMCE2023 | VMCE2021 | VMCAv1 | VMCA2022 | VMCA2024 | VCP | MCP | DCIE | PhD | VDST TL3
    Chris.Childerhose
    dloseke
    Chris.Childerhose
    Forum|alt.badge.img+21

    @tim.hudson @SSimpson -- Are you guys able to confirm the answer for Michael?

    Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
    coolsport00
    coolsport00
    Forum|alt.badge.img+21
    • coolsport00
    • Veeam Legend
    • July 18, 2024

    Hi @Michael Melter -

    Great question...curious of this myself, at the very least, for knowledge. I honestly think your best bet is to ping the PMs directly over at the Forums.

    Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
    T
    Forum|alt.badge.img+2
    • tim.hudson
    • Veeam MVP
    • Answer
    • July 18, 2024

    @tim.hudson @SSimpson -- Are you guys able to confirm the answer for Michael?

    Yeah!  Chris you were right all along.  The Gateway server for a given object server handles the read/write activity from Veeam → Repo.  This means it will be the server that handles encrypting backup data before it lands on the target repository.

     

    In direct mode the Proxy / Agent (if VAW/VAL/etc.) will be the system that performs the encryption of backup data before delivering to repository.

    Chris.Childerhose
    coolsport00
    SSimpson
    Chris.Childerhose
    Forum|alt.badge.img+21

    Thanks @tim.hudson.

    Does this answer your question @Michael Melter ?

    Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
    T
    Forum|alt.badge.img+2
    • tim.hudson
    • Veeam MVP
    • July 18, 2024

     

    Yeah I am thinking when the offloading task runs whichever server is chosen as the “Gateway” server would be the one doing the encryption.

    If anyone could find proof for it…

    Downside would be, that data in transit internally BEFORE the offloading (extent->gw-srv) would be NOT be encrypted unless you also request in-flight encryption in network options. So there’s also pro points for encrypting directly on the repo-extent in the first place (=@source).

    Michael is right (editing my previous post).  Veeam data movers don’t encrypt traffic (on private networks) unless you specify those networks & that option in the Network Traffic rules option.  (https://helpcenter.veeam.com/docs/backup/vsphere/enable_network_encryption.html?ver=120)

    Chris.Childerhose
    coolsport00
    SSimpson
    Forum|alt.badge.img+3
    • SSimpson
    • Comes here often
    • July 18, 2024

    I am running this by one of the SA on my team as well.

    Chris.Childerhose
    coolsport00
    Chris.Childerhose
    Forum|alt.badge.img+21

    I am running this by one of the SA on my team as well.

    Thanks, Sean.

    Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
    SSimpson
    Forum|alt.badge.img+3
    • SSimpson
    • Comes here often
    • July 18, 2024

    Encryption can happen at multiple levels. It's the same without VCC in the scenario. In both cases, encryption can be configured for the backup job and it can also be configured for the Capacity Tier extent. If both are enabled, then encryption is taking place twice

    A service provider might decide to enable capacity tier encryption to ensure that unencrypted backups are encrypted.

     

    Chris.Childerhose
    coolsport00
    Dynamic
    SSimpson
    Forum|alt.badge.img+3
    • SSimpson
    • Comes here often
    • July 18, 2024

    Per Tim its the gateway server in this case...

    Chris.Childerhose
    coolsport00
    Michael Melter
    Forum|alt.badge.img+12

    @tim.hudson @SSimpson -- Are you guys able to confirm the answer for Michael?

    Yeah!  Chris you were right all along.  The Gateway server for a given object server handles the read/write activity from Veeam → Repo.  This means it will be the server that handles encrypting backup data before it lands on the target repository.

     

    In direct mode the Proxy / Agent (if VAW/VAL/etc.) will be the system that performs the encryption of backup data before delivering to repository.

    This is what I would have estimated. Thanks, @tim.hudson .

    Do you maybe have a link that explains it in detail?

     

    Michael Melter - #VeeamLegend #veeam100 | VMCT | VMCE9 | VMCE2020 | VMCE2023 | VMCE2021 | VMCAv1 | VMCA2022 | VMCA2024 | VCP | MCP | DCIE | PhD | VDST TL3
    Chris.Childerhose
    coolsport00
    coolsport00
    Forum|alt.badge.img+21
    • coolsport00
    • Veeam Legend
    • July 18, 2024

    Honestly, would be nice to have the Technical Writing team add that, imo pertinent information, to the User Guide.

    Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
    Michael Melter
    Forum|alt.badge.img+12

     

    Yeah I am thinking when the offloading task runs whichever server is chosen as the “Gateway” server would be the one doing the encryption.

    If anyone could find proof for it…

    Downside would be, that data in transit internally BEFORE the offloading (extent->gw-srv) would be NOT be encrypted unless you also request in-flight encryption in network options. So there’s also pro points for encrypting directly on the repo-extent in the first place (=@source).

    All data in transit from Veeam → Veeam (including repo extent → gateway server included) is encrypted.  You can’t turn it off, AFAIK.

    *Might be wrong on the above.  Gonna need to research a bit more.

    This is AFAIK not the case. You decide about that using traffic rules. https://helpcenter.veeam.com/docs/backup/vsphere/network_rules.html?ver=120

    Encryption in flight also costumes resources. Therefore it's not per default.

     

    Thanks 

    Michael

    Michael Melter - #VeeamLegend #veeam100 | VMCT | VMCE9 | VMCE2020 | VMCE2023 | VMCE2021 | VMCAv1 | VMCA2022 | VMCA2024 | VCP | MCP | DCIE | PhD | VDST TL3
    Chris.Childerhose
    T
    Forum|alt.badge.img+2
    • tim.hudson
    • Veeam MVP
    • July 19, 2024

     

    Yeah I am thinking when the offloading task runs whichever server is chosen as the “Gateway” server would be the one doing the encryption.

    If anyone could find proof for it…

    Downside would be, that data in transit internally BEFORE the offloading (extent->gw-srv) would be NOT be encrypted unless you also request in-flight encryption in network options. So there’s also pro points for encrypting directly on the repo-extent in the first place (=@source).

    All data in transit from Veeam → Veeam (including repo extent → gateway server included) is encrypted.  You can’t turn it off, AFAIK.

    *Might be wrong on the above.  Gonna need to research a bit more.

    This is AFAIK not the case. You decide about that using traffic rules. https://helpcenter.veeam.com/docs/backup/vsphere/network_rules.html?ver=120

    Encryption in flight also costumes resources. Therefore it's not per default.

     

    Thanks 

    Michael

    I’ve adjusted my earlier post so nobody is mis-directed later.  You’re correct re: data mover encryption on private networks.

    Chris.Childerhose
    coolsport00
    dloseke
    Terms & ConditionsAccessibility statement