Skip to main content
Integrate with Veeam Backup & Replication for centralized, hardware-secured key management for backup encryption. The integration uses the Key Management Interoperability Protocol (KMIP) to enable Veeam to request, retrieve, and use encryption keys managed by CryptoHub.

About Veeam Backup & Replication

Veeam Backup & Replication is an enterprise data protection platform that creates image-level backups of virtual, physical, and cloud workloads. Organizations use Veeam to protect VMware vSphere, Microsoft Hyper-V, Nutanix AHV, AWS, Azure, and physical servers from a single management console. Veeam supports encryption at multiple levels to protect backup data at rest. By default, Veeam encrypts data using password-derived keys stored in its configuration database. For organizations that require stronger key management controls, Veeam supports integration with external Key Management System (KMS) servers via KMIP 1.4.

What is CryptoHub?

CryptoHub is the most flexible and versatile cryptographic platform in the industry, combining every cryptographic function within our extensive solution suite. You can operate CryptoHub within a simple web dashboard to deploy virtual cryptographic modules, fulfilling most use cases. When integrated with Veeam Backup & Replication, CryptoHub generates, stores, and manages the asymmetric key pairs used to protect backup encryption keys. Private keys never leave the CryptoHub boundary, ensuring that backup data remains protected even if the Veeam configuration database is compromised.

How the integration works

Veeam Backup & Replication uses a two-tier encryption model when integrated with CryptoHub:
  1. Data encryption keys (DEKs) — Veeam generates a unique symmetric key for each backup session. This key encrypts the actual backup data.
  2. Key encryption keys (KEKs) — CryptoHub generates an asymmetric RSA key pair. Veeam uses the public key to encrypt each DEK before storing it in the backup file. The private key remains on CryptoHub and is used only during restore operations.

Encryption workflow

During a backup operation:
  1. Veeam requests an asymmetric key pair from CryptoHub.
  2. CryptoHub generates an RSA key pair.
  3. CryptoHub returns the public key to Veeam.
  4. Veeam generates a session DEK.
  5. Veeam encrypts the DEK with the public key.
  6. Veeam encrypts the backup data with the DEK.
The encrypted backup file contains: encrypted data, the encrypted DEK, and key metadata. During a restore operation:
  1. Veeam sends the encrypted DEK to CryptoHub via KMIP.
  2. CryptoHub decrypts the DEK using the stored private key.
  3. CryptoHub returns the decrypted DEK to Veeam.
  4. Veeam decrypts the backup data with the DEK.

Key rotation

Veeam runs a background synchronization job every 24 hours to retrieve updated key material from CryptoHub. When CryptoHub rotates a key pair according to its configured policy, Veeam automatically receives the new public key during the next sync cycle. Previously encrypted backups remain decryptable because CryptoHub retains all historical private keys.

Supported encryption levels

CryptoHub can provide key management for Veeam encryption at two levels:

Job-level encryption

Job-level encryption protects backup data created by specific jobs. Supported job types include:
  • Backup and backup copy jobs
  • Veeam Agent backup jobs (managed by Veeam Backup & Replication)
  • Application backup policies (managed by Veeam Backup & Replication)
  • File backup jobs and object storage backup jobs
  • Transaction log backup and backup copy jobs
  • VeeamZIP jobs

Storage-level encryption

Storage-level encryption protects all data written to a specific storage target. Supported storage types include:
  • Capacity tier repositories (cloud object storage)
  • Archive tier repositories
  • Tape media pools and GFS media pools
  • Backup repositories used by Veeam Plug-in for Nutanix AHV, Veeam Backup for OLVM and RHV, Veeam Kasten, and standalone Veeam Plug-ins for Enterprise Applications

Unsupported configurations

The following configurations do not support KMS-based encryption:
  • Configuration backup jobs
  • Veeam Agent backup jobs managed directly by Veeam Agents (standalone mode)
  • Backup repositories storing standalone Veeam Agent backups

Benefits of CryptoHub integration through KMIP

Integrating CryptoHub with Veeam Backup & Replication provides the following advantages over password-based encryption:
CapabilityPassword-based encryptionCryptoHub integration
Key storageVeeam configuration databaseFIPS 140-2 Level 3 validated HSM
Key rotationManualAutomated via policy
Audit loggingLimitedComprehensive KMIP audit trail
Separation of dutiesBackup admin controls keysSecurity team controls keys
Disaster recoveryPassword must be escrowedKeys recoverable from CryptoHub backup
ComplianceVariesSupports FIPS and PCI DSS requirements
The integration also enables organizations to enforce consistent key management policies across backup infrastructure without modifying individual job configurations after initial setup.