Should I Enable backup file encryption for Veeam Backups?

Steve Hood
Steve Hood used Ask the Experts™
Hi All,

Wondering should I enable backup file encryption for my Veeam backups? It make seance to do so of course but will it have a significant impact on backup and restore times?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017
Does it make sense to do it ?

Are your backups at risk ?

If you do decide, make sure you have good documentation, and document the password to encrypt!

and when you've documented the passwords and keys, how then has access to them, and is this protected and by who ?

As for performance, on backup and restore not really noticeable if encryption is enabled.
Philip ElderTechnical Architect - HA/Compute/Storage
We enable encryption for all at-rest Veeam and ShadowProtect backups. Otherwise the data is there for the taking.
btanExec Consultant
Distinguished Expert 2018
The only way (or minimally to do is) to adequately protect that data is through encryption. It is also for compliance which you can check with your security folks. HIPAA, for example, requires companies to protect sensitive data against exposure. As such, an unencrypted backup tape could possibly be considered a direct violation.

That said not forget the need to come up with a comprehensive plan for protecting the (encryption) key management system. Typically, this means backing it up separately from everything else and storing those backups in a way that makes it easy to retrieve the keys in the event of a major disaster (part of business continuity and data recovery plan).

Also take note of security consideration to reduce data leakage risk

It is a valid concern for performance so it is more of testing in your environment. The scheduled backup and approach for backup would be discussed.
It is not recommended that you install Veeam Backup & Replication and its components on mission-critical machines in the production environment such as VMware vCenter Server, Domain Controller, Microsoft Exchange Server, Small Business Server/ Windows Server Essentials and so on. If possible, install Veeam Backup & Replication and its components on dedicated machines. Backup infrastructure component roles can be co-installed.
and of course meet the requirements for the platform to support the backup. Below just an example

You can note this consideration
Data encryption has a negative effect on the deduplication ratio if you use a deduplicating storage appliance as a target. Veeam Backup & Replication uses different encryption keys for every job session. For this reason, encrypted data blocks sent to the deduplicating storage appliances appear as different though they may contain duplicate data. If you want to achieve a higher deduplication ratio, you can disable data encryption.
btanExec Consultant
Distinguished Expert 2018

for author advice

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial