Hi Community,a customer has the following requirements:some Windows Notebooks have confidential data on it, this data should be backup’d the only person who should have access to this backed data, is the owner of the specific notebook no Administrator should have access to this backup’d data My approach would be:Install VAW on the machine (not deployed/managed by VBR) configure a Backup Job directly on this system Repository can be an Object Storage or a Shared folder a Veeam backup repository would be managed by VBR and so the Backup Data and Encryption Settings could be accessible by the Veeam Administrator set Encryption within the Job (only the owner of this device has the Key) What do you think about it? Am I’m missing something here? Would there be a better approach?

Question

Veeam Agent for Windows / Encryption set by Client

7 days ago
March 26, 2025
6 comments
41 views

+10

Dynamic
Veeam Vanguard
385 comments

Hi Community,

a customer has the following requirements:

some Windows Notebooks have confidential data on it, this data should be backup’d
the only person who should have access to this backed data, is the owner of the specific notebook
no Administrator should have access to this backup’d data

My approach would be:

Install VAW on the machine (not deployed/managed by VBR)
configure a Backup Job directly on this system
Repository can be an Object Storage or a Shared folder
- a Veeam backup repository would be managed by VBR and so the Backup Data and Encryption Settings could be accessible by the Veeam Administrator
set Encryption within the Job (only the owner of this device has the Key)

What do you think about it? Am I’m missing something here? Would there be a better approach?

Tommy O'Shea
Experienced User
116 comments
7 days ago
March 26, 2025

I agree that would be a good approach given the requirements. In that case, it is almost like the user is the administrator of their own backups.
Alternatively, I believe that Cloud Connect would be a reasonable solution for this ask. Their agent would connect to the Cloud Connect server and backup directly to your repository of choice. They would have the option to encrypt their own backups as required.

Based on this page, Cloud Connect is not only for use by Service Providers but could be used by enterprises as well.

Tommy O’Shea, VMCE, VMCE-SP, VMCA

+21

Chris.Childerhose
Veeam Legend, Veeam Vanguard
8502 comments
7 days ago
March 26, 2025

I think VAW installed and not managed covers the access for the user but using a VBR Backed Repo would give the Administrator access to the files unless they are allowed. Otherwise the back up to locally attached USB or Object Storage would probably be better for the user.

+10

Dynamic
Author
Veeam Vanguard
385 comments
7 days ago
March 26, 2025

Thanks for the feedback so far! Appreciate it.
Cloud Connect would also be an option yeah, but didn’t mentioned it, because it’s not an option for this customer.

I think we would go with Object as a target, Settings managed on the Client.

Maybe another option, but imo some administrative overhead:
a seperate VBR, managing only these VAWs and the administrative Users are not the regular VBR admins, rather the Manager for these Clients. So they get a managed/centralized environment and shouldn’t manage every single installation. The Encryption and therefore the access to the data, remains in the Team. 🤔

+21

Chris.Childerhose
Veeam Legend, Veeam Vanguard
8502 comments
7 days ago
March 26, 2025

A separate VBR might be a way to go as well. All depends how you want to set it up. 😁

+11

Iams3le
Veeam Legend
1393 comments
7 days ago
March 26, 2025

Dynamic wrote:

Thanks for the feedback so far! Appreciate it.
Cloud Connect would also be an option yeah, but didn’t mentioned it, because it’s not an option for this customer.

I think we would go with Object as a target, Settings managed on the Client.

This would be an overkill for this task. To leverage immutability in case of accidental deletion, I would go for Obj storage. Your approach is also rock solid.

[Microsoft MVP | Veeam Legend (2021 -2025) | VMware vExpert 5x | Cisco Champion 3x | Object First Ace 2x]

+10

Dynamic
Author
Veeam Vanguard
385 comments
6 days ago
March 27, 2025

Thanks again. Currently we are talking about 15 Machines.

Hmm, even it’s an overkill (separate VBR) it could be an option: just because all the manual steps, the initial deployment, 15 x setting up jobs, the control of the configuration itself, updates and so on would then be managed central by a single instance...

The customer mentioned, with his old Client-side Backup (based on Acronis) there was an option to manage this central, but for accessing the Data, a client-side Decryption-Key has to be entered… I really don’t know, haven’t seen this config so far.
This option would be a fit, but it must be labeled with Veeam and in green! 😉💚

We just have to discuss the options with the customer.

Comment

Related topics

Le saviez-vous ? Gérez votre maison et votre consommation d'énergie avec MyProximus

Comment désactiver votre compte MyProximus ?

Comment créer un compte pour MyProximus ?

Approuver ou faire approuver une commande dans MyProximus

Des projets pour l'été ? Gérez votre maison et votre famille avec MyProximus !

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded