Backup Encryption

Should I encrypt my backup data?
Backups should be encrypted whenever they contain any data that is important to an organization and there is any chance that the data could be accessed by non-authorized organizations.

• Veeam uses AES-256 bit encryption and public key encryption. Encryption works at the source side. Veeam Backup & Replication reads the source, encodes data blocks, transfers them to the target side in the encrypted format and stores the data to a file in the backup repository. By default, Veeam Backup & Replication encrypts network traffic travelling between public networks.

• 5 key encryption lessons from the field. - 6 minute read.

• Important Note: Be sure to enable encryption in the "Veeam Configuration Backup".

• Important Note: Use an "Out-of-band" password management tool, outside of your recovery domain: No password/no recovery.

• Note: Encrypted data is not a candidate for deduplication. Encrypted data is, however, a candidate for compression.

• NIST SP 800-209 Security Guidelines for Storage Infrastructure

Veeam Help Center...

• Data Encryption

• Encryption Algorithms

• Backup Job Encryption

• Encryption Best Practices

Veeam Best Practices...

• Backup Repository Encryption

• Backup and Backup Copy Job Encryption

• Network Transport Encryption  

"Backups are a prime target for malicious actors!" – Rick Vanover

• Friday Tech Bites: Data Protection Best Practices - Backup Encryption

• How to achieve Data Efficiency using Deduplication, Compression & Encryption

• Veeam Availability Suite - End-to-end Encryption

• Amazon S3 Encrypts New Objects By Default

AES 256 encryption

AES-256 ("Advanced Encryption Standard" or "Rijndael Algorithm") is the strongest encryption standard. It has a key length of 256 bits and is considered unbreakable by brute force attacks based on current computing power (56-bit DES key can be cracked in less than a day). 

• AES Explained (Advanced Encryption Standard) - Computerphile (14:13 minute video)

• 256-bit key length: 1.1 x 1077. This results in 984,665,640,564,039,457,584,007,913,129,639,936 possible combinations!!

• Veeam uses AES-256 bit encryption and public key encryption.

There has yet to be a single instance of AES-256 ever being hacked into.  There are simply not enough bits available to recover the original data from the hash alone. AES-256 uses 14 rounds of encryption, compared to 10 rounds of AES-128, and 12 rounds of AES 192. AES-256 does, however, consume 40% more computer system resources than AES-192. The only potential weakness is the key that you choose to use (so....yeah...choose a strong key!).

• AES is defined in: "FIPS PUB 197: Advanced Encryption Standard (AES)" and "ISO/IEC 18033-3: Block ciphers"

NOTE: Encrypting your data should be part of your multi-layered Ransomware protection strategy.