Solved

#VMCE Pop quiz of the day: 2021-06-21


Userlevel 7
Badge +14

Happy Monday! :coffee:

I’ll try and post a little pop quiz question each day, hope to hear from many of you. Did you know the answer? Did you look it up in the documentation? Did you try it in a lab? Please share some details along with your answer.

The virtualization team uses vSAN for all datastores and is considering to enable vSAN datastore encryption. What impact would this have to the Veeam deployment?

icon

Best answer by JMeixner 21 June 2021, 15:16

View original

6 comments

Userlevel 7
Badge +21

For the Veeam deployment as long as you deploy your Proxy server(s) on the encrypted VSAN datastore using virtual appliance mode the backups will work just fine even with encryption enabled.  I believe Veeam receives the blocks from the VMDK files as unencrypted when doing the backup.

Actually, any transport mode (other than Direct Storage Access for obvious reasons) will work when backing up VMs on a vSAN datastore with datastore level encryption enabled.

So does that mean partial marks for this one. :joy:

Userlevel 7
Badge +14

For the Veeam deployment as long as you deploy your Proxy server(s) on the encrypted VSAN datastore using virtual appliance mode the backups will work just fine even with encryption enabled.  I believe Veeam receives the blocks from the VMDK files as unencrypted when doing the backup.

Actually, any transport mode (other than Direct Storage Access for obvious reasons) will work when backing up VMs on a vSAN datastore with datastore level encryption enabled.

Userlevel 7
Badge +17

Eeehhhhh…. Oh yes, you are right @haslund :grin:

My mistake.

 

Then my first thought should be correct. Veeam does not recognize vSAN encryption because it receives decrypted data blocks from the vSAN.

When I remember right my ESX admin colleagues have activated this on one cluster once and it was no problem with Veeam.

Userlevel 7
Badge +21

For the Veeam deployment as long as you deploy your Proxy server(s) on the encrypted VSAN datastore using virtual appliance mode the backups will work just fine even with encryption enabled.  I believe Veeam receives the blocks from the VMDK files as unencrypted when doing the backup.

Userlevel 7
Badge +14

Just a friendly reminder, VM encryption referenced in the post by @JMeixner  is not the same as vSAN datastore encryption.

Userlevel 7
Badge +17

This is rather transparent to Veeam once the encryption is correctly configured on vSphere.

I have this looked up in documentation to have to correct wording:

  • Configuration in vSphere
    VM encryption instances must be preconfigured in the virtual infrastructure: you must set up the key management server, create the VM encryption policy and assign it to VMs in advance.
  • Veeam Requirements

    The backup proxy used for backup must be working in the Virtual appliance transport mode or Network transport mode with SSL encryption enabled.

    The backup proxy working in the Virtual appliance transport mode must be deployed on an encrypted VM. Ensure either that you use a common Key Management Server (KMS) or that the Key Management Server clusters at both sites use common encryption keys.

     

     

Comment