This section describes how Veeam Backup & Replication decrypts backup files encrypted with CryptoHub. In most scenarios, decryption occurs automatically. Manual decryption is required only when Veeam cannot reach CryptoHub or when importing backups with mixed encryption history.Documentation Index
Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
Use this file to discover all available pages before exploring further.
How automatic decryption works
When you restore data from a backup encrypted with CryptoHub, Veeam automatically retrieves the decryption key from CryptoHub. No manual intervention is required if the following conditions are met:- The Veeam Backup & Replication server has network connectivity to CryptoHub.
- The CryptoHub KMS server is registered in Veeam with valid certificates.
- The key used to encrypt the backup has not been destroyed on CryptoHub.
- Reads the encrypted data encryption key (DEK) and key metadata from the backup file.
- Sends the encrypted DEK to CryptoHub via KMIP.
- CryptoHub decrypts the DEK using the stored private key and returns the plaintext DEK.
- Veeam uses the DEK to decrypt the backup data.
If CryptoHub supports OAEP with SHA-1, decryption occurs entirely on CryptoHub and the private key never leaves the HSM boundary. If CryptoHub does not support OAEP with SHA-1, Veeam retrieves the private key, performs decryption locally, and discards the key immediately after the operation.
Automatic decryption during import
When you import backup files from external media or a relocated repository, Veeam attempts automatic decryption if the backup was encrypted with a KMS key.Import workflow
- Veeam reads the backup metadata and identifies the encryption key ID.
- Veeam queries all registered KMS servers for a matching key.
- If a match is found, Veeam decrypts the backup automatically.
- The backup appears under Backups > Disk (Imported) in the console.
When manual decryption is required
Manual decryption is required in the following scenarios:| Scenario | Reason |
|---|---|
| CryptoHub is not registered in Veeam | Veeam cannot query the KMS server for the decryption key. |
| Importing to a new Veeam installation | The new installation has no KMS server configured. |
| Network connectivity to CryptoHub is unavailable | Veeam cannot reach CryptoHub to retrieve the key. |
| Backup chain uses multiple encryption keys | The backup contains files encrypted with different KMS keys or a mix of KMS and password-based encryption. |
| KMS key was destroyed on CryptoHub | The private key required for decryption no longer exists. |
Manually decrypting backups
Use the following procedure to decrypt backup files that could not be decrypted automatically.Before you begin
Verify the following:- You have access to the Veeam Backup & Replication console.
- CryptoHub is registered as a KMS server in Veeam, or you have configured it as part of this procedure.
- Network connectivity exists between the Veeam server and CryptoHub.
Procedure
Right-click the backup and select Specify Password.Alternatively, select the backup and select Specify Password from the ribbon.
In the Retrieve Encryption Key from KMS dialog, verify the following fields:
| Field | Description |
|---|---|
| Encryption key ID | The unique identifier of the KMS key used to encrypt the backup. This value is read-only. |
| KMS server | The CryptoHub server that holds the corresponding private key. Select the correct server from the dropdown if multiple KMS servers are registered. |
If CryptoHub is not registered in Veeam, select Manage KMS to add it. See Adding the KMS server in Veeam for the procedure.
Veeam contacts CryptoHub, retrieves the decryption key, and decrypts the backup. The backup moves from Disk (Encrypted) to Disk (Imported).
Decrypting backups with multiple encryption keys
If a backup chain was encrypted with multiple keys over time, you must provide all keys to fully decrypt the chain. This occurs when:- The KMS key was rotated on CryptoHub and Veeam created backups with both the old and new keys.
- Encryption was changed from password-based to KMS-based (or vice versa).
- Different backup files in the chain were encrypted with different KMS servers.
Import method determines key requirements
The number of keys you must provide depends on how you import the backup:| Import method | Key requirement |
|---|---|
| Import from metadata file (VBM) | Provide only the most recent KMS key or password used to encrypt the chain. Veeam reads key history from the metadata file. |
| Import from full backup file (VBK) | Provide all KMS keys and passwords used to encrypt any file in the chain. |
Procedure for multiple keys
If multiple keys are required, Veeam displays the Multiple Passwords dialog with a list of encryption keys.The list shows:
| Column | Description |
|---|---|
| Description | The key description or key ID. Password-based keys show the password hint. KMS keys show the key ID. |
| Original KMS | For KMS keys, the IP address or hostname of the original KMS server. |
| Status | Indicates whether the key has been provided. |
For each KMS key in the list:a. Select the key entry.b. Select Set.c. In the dialog, select the CryptoHub server from the KMS server dropdown.d. Select OK.
For each password-based key in the list:a. Select the key entry.b. Select Set.c. Enter the encryption password.d. Select OK.
Veeam decrypts all backup files in the chain using the provided keys. The backup moves to Disk (Imported).
Decrypting tape backups
Tape backups encrypted with CryptoHub follow a similar decryption workflow, with additional considerations for tape media handling.Automatic decryption
When you catalog or restore from an encrypted tape, Veeam automatically contacts CryptoHub to retrieve the decryption key if:- The tape library or standalone drive is connected and the tape is loaded.
- CryptoHub is registered in Veeam with valid certificates.
- Network connectivity exists between the Veeam server and CryptoHub.
Manual decryption
If automatic decryption fails, you must decrypt the tape before cataloging or restoring.Veeam decrypts the tape catalog and backup data using CryptoHub.
For detailed tape decryption procedures, including offline and disaster recovery scenarios, see the Veeam Backup & Replication User Guide section on tape encryption.
Emergency decryption with Veeam Backup Enterprise Manager
If CryptoHub is unavailable due to a disaster or permanent failure, you can decrypt backups using Veeam Backup Enterprise Manager if password loss protection was enabled when the backup was created.Prerequisites
- Veeam Backup Enterprise Manager is deployed and connected to the Veeam Backup & Replication server.
- Password loss protection was enabled in the job or storage encryption settings at the time the backup was created.
- You have access to the Veeam Backup Enterprise Manager web console.
How password loss protection works
When password loss protection is enabled, Veeam encrypts a copy of each data encryption key using the Enterprise Manager certificate. This encrypted key copy is stored in the backup file alongside the KMS-encrypted copy. If the KMS key becomes unavailable, Enterprise Manager can decrypt the backup using its own certificate.Requesting decryption from Enterprise Manager
Veeam retrieves the decryption key from Enterprise Manager and decrypts the backup. The backup moves to Disk (Imported).
For complete Enterprise Manager decryption procedures, see the Veeam Backup Enterprise Manager User Guide.
Troubleshooting decryption failures
Use the following table to diagnose decryption failures.| Symptom | Probable cause | Resolution |
|---|---|---|
| Backup remains in Disk (Encrypted) after specifying KMS server | CryptoHub cannot find the key ID | Verify that the key has not been destroyed on CryptoHub. Check CryptoHub key lifecycle policies. |
| ”Key not found” error | Key was destroyed or never synchronized | If the key was rotated, ensure Veeam’s 24-hour sync job has run. Manually trigger a sync by editing and saving the KMS server configuration. |
| Connection timeout during decryption | Network connectivity issue | Verify that the Veeam server can reach CryptoHub on port 5696. |
| Certificate error during decryption | Client certificate expired or revoked | Update the client certificate in Veeam. See Adding the KMS server in Veeam. |
| ”Access denied” from CryptoHub | Client certificate not authorized for the key | Verify that the client certificate has permission to access the key on CryptoHub. Check CryptoHub access policies. |
| Multiple Passwords dialog shows unknown keys | Backup chain includes keys from a different KMS server | Register the original KMS server in Veeam, or use password loss protection if available. |
| Password loss protection unavailable | Feature was not enabled when backup was created | If CryptoHub is permanently unavailable, the backup cannot be decrypted. Restore CryptoHub from backup or contact Futurex support. |