Skip to main content
This section describes how to configure Veeam backup jobs to use CryptoHub for encryption. You can enable KMS encryption when creating a new job or by editing an existing job.

Supported job types

You can enable CryptoHub encryption for the following job types:
  • Backup jobs
  • Backup copy jobs
  • Veeam Agent backup jobs (managed mode)
  • Application backup policies (managed mode)
  • File backup jobs
  • Object storage backup jobs
  • Transaction log backup jobs
  • Transaction log backup copy jobs
  • VeeamZIP jobs
Configuration backup jobs do not support KMS encryption. These jobs use password-based encryption only.

Enabling encryption for a new backup job

The following procedure describes how to enable CryptoHub encryption when creating a new backup job. The steps apply to VM backup jobs; other job types follow a similar workflow.
1
In the Veeam Backup & Replication console, navigate to Home > Jobs.
2
Select Backup Job from the ribbon, then select the appropriate workload type (for example, Virtual machine > VMware vSphere).
3
Complete the job wizard steps for name, virtual machines, and storage until you reach the Storage step.
4
On the Storage step, select Advanced.
5
In the Advanced Settings dialog, select the Storage tab.
6
Select the Enable backup file encryption checkbox.
7
In the Password dropdown, select your CryptoHub KMS server.
The dropdown displays both password-based encryption keys and KMS servers. KMS servers appear by their configured description (for example, CryptoHub Production - Data Center 1).
8
If you have not previously configured password loss protection and have a Veeam Backup Enterprise Manager connection, Veeam displays a Loss protection disabled warning. Select Manage passwords to configure password loss protection, or proceed without it.
If you enable password loss protection, you can recover encrypted backups through Veeam Backup Enterprise Manager if CryptoHub becomes unavailable. For production environments, Futurex recommends enabling this feature as a disaster recovery safeguard.
9
Select OK to close the Advanced Settings dialog.
10
Complete the remaining job wizard steps and select Finish.
The backup job is configured to encrypt backup files using keys managed by CryptoHub. Encryption begins with the next job run.

Enabling encryption for an existing backup job

You can add CryptoHub encryption to an existing backup job. New backup files created after the change are encrypted; existing backup files in the chain remain unencrypted.
1
In the Veeam Backup & Replication console, navigate to Home > Jobs > Backup.
2
Right-click the backup job and select Edit.
3
In the job wizard, select Storage in the left navigation pane.
4
Select Advanced.
5
In the Advanced Settings dialog, select the Storage tab.
6
Select the Enable backup file encryption checkbox.
7
In the Password dropdown, select your CryptoHub KMS server.
8
Select OK to close the Advanced Settings dialog.
9
Select Finish to save the job.
Backup files created by subsequent job runs are encrypted using CryptoHub. To encrypt the entire backup chain, create an active full backup after enabling encryption.

Creating an encrypted active full backup

After enabling encryption on an existing job, the next incremental backup is encrypted, but earlier restore points remain unencrypted. To create a fully encrypted backup chain, run an active full backup.
1
In the Veeam Backup & Replication console, navigate to Home > Jobs > Backup.
2
Right-click the backup job and select Active Full.
3
Select Yes to confirm.
Veeam creates a new full backup file encrypted with CryptoHub. Subsequent incremental backups chain to this encrypted full backup.

Enabling encryption for backup copy jobs

Backup copy jobs can use different encryption settings than the source backup job. This allows you to encrypt secondary copies even if the primary backup is unencrypted.
1
In the Veeam Backup & Replication console, navigate to Home > Jobs > Backup Copy.
2
Right-click the backup copy job and select Edit.
3
In the job wizard, select Target in the left navigation pane.
4
Select Advanced.
5
In the Advanced Settings dialog, select the Storage tab.
6
Select the Enable backup file encryption checkbox.
7
In the Password dropdown, select your CryptoHub KMS server.
8
Select OK, then select Finish.
Backup copies created by this job are encrypted independently of the source backup encryption settings.

Enabling encryption for VeeamZIP jobs

VeeamZIP creates ad-hoc full backups of individual VMs. You can enable CryptoHub encryption when creating a VeeamZIP backup.
1
In the Veeam Backup & Replication console, navigate to Inventory and select the virtualization platform (for example, VMware vSphere).
2
In the inventory tree, locate and right-click the VM.
3
Select VeeamZIP.
4
In the VeeamZIP dialog, configure the destination and other settings.
5
Select the Enable backup file encryption checkbox.
6
In the Password dropdown, select your CryptoHub KMS server.
7
Select OK.
Veeam creates an encrypted VeeamZIP backup file using CryptoHub.

Changing encryption settings

You can change the encryption key for a backup job at any time. The new key applies to backup files created after the change.
If you change from one KMS server to another, or from KMS encryption to password-based encryption, ensure that you retain access to all previously used keys. You need each key to restore from backup files encrypted with that key.

Switching KMS servers

1
Edit the backup job and navigate to Storage > Advanced > Storage tab.
2
In the Password dropdown, select the new KMS server.
3
Select OK, then select Finish.

Disabling encryption

1
Edit the backup job and navigate to Storage > Advanced > Storage tab.
2
Clear the Enable backup file encryption checkbox.
3
Select OK, then select Finish.
Existing encrypted backup files remain encrypted. Only new backup files are created without encryption.