Skip to main content
  • EN

Hi Community,

a customer has the following requirements:

  • some Windows Notebooks have confidential data on it, this data should be backup’d
  • the only person who should have access to this backed data, is the owner of the specific notebook
  • no Administrator should have access to this backup’d data

 

My approach would be:

  • Install VAW on the machine (not deployed/managed by VBR)
  • configure a Backup Job directly on this system
  • Repository can be an Object Storage or a Shared folder 
    • a Veeam backup repository would be managed by VBR and so the Backup Data and Encryption Settings could be accessible by the Veeam Administrator
  • set Encryption within the Job (only the owner of this device has the Key)

 

What do you think about it? Am I’m missing something here? Would there be a better approach?

I agree that would be a good approach given the requirements. In that case, it is almost like the user is the administrator of their own backups.
Alternatively, I believe that Cloud Connect would be a reasonable solution for this ask. Their agent would connect to the Cloud Connect server and backup directly to your repository of choice. They would have the option to encrypt their own backups as required.

Based on this page, Cloud Connect is not only for use by Service Providers but could be used by enterprises as well.

I think VAW installed and not managed covers the access for the user but using a VBR Backed Repo would give the Administrator access to the files unless they are allowed.  Otherwise the back up to locally attached USB or Object Storage would probably be better for the user.

Thanks for the feedback so far! Appreciate it.
Cloud Connect would also be an option yeah, but didn’t mentioned it, because it’s not an option for this customer.

 

I think we would go with Object as a target, Settings managed on the Client.

 

Maybe another option, but imo some administrative overhead:
a seperate VBR, managing only these VAWs and the administrative Users are not the regular VBR admins, rather the Manager for these Clients. So they get a managed/centralized environment and shouldn’t manage every single installation. The Encryption and therefore the access to the data, remains in the Team. 🤔

A separate VBR might be a way to go as well.  All depends how you want to set it up. 😁

Thanks for the feedback so far! Appreciate it.
Cloud Connect would also be an option yeah, but didn’t mentioned it, because it’s not an option for this customer.

 

I think we would go with Object as a target, Settings managed on the Client.

 

Maybe another option, but imo some administrative overhead:
a seperate VBR, managing only these VAWs and the administrative Users are not the regular VBR admins, rather the Manager for these Clients. So they get a managed/centralized environment and shouldn’t manage every single installation. The Encryption and therefore the access to the data, remains in the Team. 🤔

This would be an overkill for this task. To leverage immutability in case of accidental deletion, I would go for Obj storage. Your approach is also rock solid.

Thanks again. Currently we are talking about 15 Machines. 

Hmm, even it’s an overkill (separate VBR) it could be an option: just because all the manual steps, the initial deployment, 15 x setting up jobs, the control of the configuration itself, updates and so on would then be managed central by a single instance...

 

The customer mentioned, with his old Client-side Backup (based on Acronis) there was an option to manage this central, but for accessing the Data, a client-side Decryption-Key has to be entered… I really don’t know, haven’t seen this config so far. 
This option would be a fit, but it must be labeled with Veeam and in green! 😉💚


 

We just have to discuss the options with the customer. 

 

Terms & ConditionsAccessibility statement