Skip to main content
  • EN

WARNING: Exciting content 🕺🏻

This blog post has a little bit of everything: A little bit of compliance, a little bit of encryption, a little bit of REST API, and a little bit of V13, like in this song.

Introduction

The EU’s Digital Operational Resilience Act (DORA) requires financial entities to protect their data using robust cryptographic methods. Two key articles, Article 6 (Encryption and Cryptographic Controls) and Article 7 (Cryptographic Key Management), set out what must be done. If you use Veeam for backups, you can meet many of these requirements.

DORA - Summary of Relevant Requirements (Articles 6 & 7)

DORA requires financial organizations to encrypt backup data at rest and during transfer. Connections within the organization and with external partners must also be protected using encryption. In addition, there must be clear rules for managing cryptographic keys throughout their entire lifecycle, including creation, storage, renewal, backup, and secure destruction. If a key is lost or compromised, it must be replaced quickly. Organizations must also keep records of all measures taken to protect data and keys, and explain any alternative or additional steps. Finally, cryptographic technologies and processes must be regularly reviewed and updated to stay resilient against new threats.

For the full legal text, see the official regulation: DORA Regulation (EU) 2024/1774.

Mapping Veeam Features to Articles 6 & 7

The following Veeam features and functions help to address DORA Articles 6 and 7 requirements.

Encryption of Data at Rest (Art. 6(2)(a))

Veeam can encrypt backup data stored in backup repositories, tape libraries, cloud storage, and object storage using AES-256 encryption. This ensures that all backup data at rest is protected according to DORA Article 6(2)(a) requirements.

Encryption of Data in Transit (Art. 6(2)(a))

Veeam supports data encryption as it moves between Veeam components (such as proxies, repositories, and backup servers) using TLS (Transport Layer Security). Administrators can enable network data encryption to protect backup data in transit, as required by DORA Article 6(2)(a).

Job-level Encryption with Password or KMS (Art. 6(2)(d), Art. 7(1))

Veeam lets users choose between password-based encryption keys or integration with an external Key Management Server (KMS) compliant with KMIP for managing encryption keys. This aligns with Article 6(2)(d) and Article 7(1) regarding cryptographic key management.

Encryption Key Lifecycle Management (Art. 7)

Veeam supports secure storage, backup, and retrieval of encryption keys:

  • If using a KMS, key generation, renewal, retirement, revocation, and destruction are managed according to the KMS capabilities, matching DORA Article 7(1).
  • If using password-based keys, Veeam allows secure management but does not provide automatic key rotation for job keys; rotation must be done manually.
  • Veeam Backup Enterprise Manager enables backup of encryption keys, helping recover if keys are lost, forgotten, or the KMS server has failed (Art. 7(3)).

Monitoring and Auditing of Key Events (Art. 6(5))

Veeam generates specific events and logs for key management actions. Some useful Event-ID’s are:

  • Event ID 31700 is sent when an encryption password is changed.
  • Event ID 31800 is sent when an encryption password is deleted.
  • Event ID 42500 logs when a KMS key rotation is completed.

These events support compliance monitoring, incident response, and audit trails as Article 6(5) requires.

Updating Cryptographic Controls (Art. 6(4))

Veeam implements strong encryption standards (such as AES-256 and TLS), and updates cryptographic technology as needed. Organizations are responsible for reviewing and updating cryptographic protocols, as Article 6(4) requires. While post-quantum cryptography (PQC) is an important and evolving topic, it deserves its own dedicated blog post. For now, this article focuses on current, widely adopted standards.

Note

Veeam does not provide built-in automatic rotation for password-based job keys; automatic rotation is only available if supported by the external KMS. The Veeam Backup & Replication v13 REST API lets you change and check (NEW v13) encryption passwords. An updated version of the Python script shown below is already being worked on to support the management of the encryption keys.

Reporting Script for Veeam Encryption Settings

Of course, no blog post of mine would be complete without a Python script!

The script connects to a Veeam Backup & Replication server via the REST API, creating a report about your encryption settings. It provides details on:

  • Backup jobs and whether encryption is enabled
  • Certificates installed on the backup server
  • Stored encryption passwords (keys)
  • Configured KMS servers

You can generate the report in three different formats:

  • As a readable table in your console (default)
  • As JSON output (useful for automation or further processing)
  • As an HTML report with a clear table layout
Sample Veeam Encryption HTML Report

Conclusion

Meeting DORA’s requirements in Articles 6 & 7 for encryption and key management is very doable with Veeam. You get strong data encryption at rest, transit encryption, external KMS support, etc. The trick is in how you manage your keys over time, document the policies, and produce evidence for audits. If you follow these recommendations, you’ll be well placed to comply with DORA and protect your data effectively.

Very cool Steve! Thanks for sharing….gonna test it out 👍🏻

This is very interesting and something I will definitely be checking out.  Thanks for sharing Steve.

Terms & ConditionsAccessibility statement