Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

Before configuring the CryptoHub integration, verify that your environment meets the requirements in this section.

Veeam Backup & Replication requirements

Supported versions

Veeam Backup & Replication 12.1 (build 12.1.0.2131) or later is required for KMS integration.
If you use Veeam Cloud Connect, both the service provider and tenant environments must run Veeam Backup & Replication 12.1 or later.

Licensing

KMS integration requires a Veeam Data Platform Advanced or Premium license. Data decryption is available with all license types.

Console requirements

You must use the desktop version of the Veeam Backup & Replication console to configure KMS servers and manage KMS keys. The web UI does not support KMS configuration.

CryptoHub requirements

Version

  • CryptoHub, 7.0.3.x or later.

Required access

  • An account on the CryptoHub with administrator permissions to deploy new services.

Key algorithm

The integration requires RSA asymmetric key pairs for KMIP clients. Veeam does not support other asymmetric algorithms (such as ECDSA) for backup encryption.

Certificate requirements

The integration requires two certificates: a server certificate that identifies CryptoHub to Veeam, and a client certificate that authenticates Veeam to CryptoHub.
The integration setup process requires you to run OpenSSL commands. You can install OpenSSL on the Windows Server where the Veeam Backup & Replication console is running, or run the OpenSSL commands on another computer and transfer the files to the Windows Server where the Veeam Backup & Replication console is running.

Server certificate

The CryptoHub server certificate must meet the following requirements:
AttributeRequirement
Subject (CN)Must match the fully qualified domain name (FQDN) of the CryptoHub server. Example: cryptohub.example.com
CRL Distribution PointsMust contain valid, accessible CRL URLs
Trust chainIf the issuing CA is not in the Veeam server’s Trusted Root Certification Authorities store, you must add it manually
Supported import formats: PFX, CER, PEM
If you import a PEM-format certificate, the file must include the -----BEGIN CERTIFICATE----- header and -----END CERTIFICATE----- footer.

Client certificate

The client certificate authenticates the Veeam Backup & Replication server to CryptoHub. The certificate must be exportable from the system where it was generated. Supported import formats: PFX, PEM (split files) If you use PEM-format files, you must provide two separate files:
FileFormat requirements
CertificateMust include -----BEGIN CERTIFICATE----- header and -----END CERTIFICATE----- footer
Private keyMust be PKCS#1 format with -----BEGIN RSA PRIVATE KEY----- header and -----END RSA PRIVATE KEY----- footer
PKCS#8 private keys (identified by -----BEGIN PRIVATE KEY----- or -----BEGIN ENCRYPTED PRIVATE KEY----- headers) are not supported. Convert PKCS#8 keys to PKCS#1 format before import.

Network requirements

Connectivity

The Veeam Backup & Replication server must have network access to CryptoHub on the KMIP service port.
SourceDestinationPortProtocol
Veeam Backup & Replication serverCryptoHub5696 (default)TCP/TLS
If your environment uses a non-standard KMIP port, specify the port number when adding the KMS server in Veeam.

Firewall considerations

Configure firewalls to allow persistent outbound connections from the Veeam server to CryptoHub. The connection is used for:
  • Initial key pair generation when encryption is enabled
  • Public key retrieval during key rotation sync (runs every 24 hours by default)
  • Private key operations during restore (decryption)
If the Veeam server cannot reach CryptoHub during a backup job, the job fails. Plan for high availability or ensure reliable network paths between the Veeam infrastructure and CryptoHub.

DNS resolution

The Veeam server must resolve the CryptoHub FQDN specified in the server certificate’s Subject field. If DNS resolution is unavailable, add a host file entry on the Veeam server or use the CryptoHub IP address (and ensure the certificate Subject matches).

Supported Veeam job and storage types

Supported configurations

The following Veeam job types support KMS encryption with CryptoHub: Job-level encryption:
  • Backup jobs
  • Backup copy jobs
  • Veeam Agent backup jobs (managed mode)
  • Application backup policies (managed mode)
  • File backup jobs
  • Object storage backup jobs
  • Transaction log backup jobs
  • Transaction log backup copy jobs
  • VeeamZIP jobs
Storage-level encryption:
  • Capacity tier repositories
  • Archive tier repositories
  • Tape media pools
  • GFS tape media pools
  • Backup repositories for Veeam Plug-in for Nutanix AHV
  • Backup repositories for Veeam Backup for OLVM and RHV
  • Backup repositories for Veeam Kasten
  • Backup repositories for standalone Veeam Plug-ins for Enterprise Applications

Unsupported configurations

The following configurations do not support KMS encryption:
  • Configuration backup jobs — These jobs use password-based encryption only.
  • Veeam Agent backup jobs in standalone mode — Agents not managed by Veeam Backup & Replication cannot use KMS keys.
  • Backup repositories storing standalone Veeam Agent backups — Use password-based encryption for these repositories.

Veeam Cloud Connect considerations

If you use Veeam Cloud Connect to store backups in a service provider’s repository, the following additional requirements apply:
  • Both the service provider and tenant must run Veeam Backup & Replication 12.1 or later.
  • If the tenant and service provider use the same KMS server, backup files stored in the tenant quota cannot be decrypted on the service provider side.
For Cloud Connect environments, KMS encryption is supported for:
  • Backup and backup copy jobs
  • Veeam Agent backup jobs (managed mode)
  • Transaction log backup copy jobs