We had an existing SOBR between local ReFS (Performance Tier) and S3 Object Storage (Capacity Tier) in Copy Mode.
The S3 Object Storage connection has always had encryption enabled, and this has been fine.
As part of a security review, it was decided to enable encryption on the local ReFS repository (Performance Tier) so encryption was enabled for the Backup Jobs.
This triggered a new full backup of each Backup Job, as expected.
What wasn't so expected was that this also triggered a full copy up to S3 Object Storage: each new VBK showed a full transfer of data to S3, rather than an incremental amount.
The encryption keys for local encryption and S3 Object Storage encryption are different.
I had assumed that the local backups would get decrypted and re-encrypted with the S3 encryption key [similar to if you used a Backup Copy Job with different encryption keys], but that looks not to be the case?
Does this mean that the data stored in S3 Object Storage is now effectively "double encrypted"? It would explain why the S3 Object Storage saw the new full backups as completely new data: it's all encrypted and bears no resemblance to the previous backups.
Will this cause a long term problem with the S3 Object Storage, in that feeding it encrypted backup data would cause it not to be able to "share" blocks or similar? I don't believe so, as Veeam itself is in charge of how the data is stored in S3 Object Storage so can track shared data whether encrypted or not, but I have made a few incorrect Veeam-related assumptions recently so not entirely sure.
Thanks,
Lewis.
The S3 Object Storage connection has always had encryption enabled, and this has been fine.
As part of a security review, it was decided to enable encryption on the local ReFS repository (Performance Tier) so encryption was enabled for the Backup Jobs.
This triggered a new full backup of each Backup Job, as expected.
What wasn't so expected was that this also triggered a full copy up to S3 Object Storage: each new VBK showed a full transfer of data to S3, rather than an incremental amount.
The encryption keys for local encryption and S3 Object Storage encryption are different.
I had assumed that the local backups would get decrypted and re-encrypted with the S3 encryption key [similar to if you used a Backup Copy Job with different encryption keys], but that looks not to be the case?
Does this mean that the data stored in S3 Object Storage is now effectively "double encrypted"? It would explain why the S3 Object Storage saw the new full backups as completely new data: it's all encrypted and bears no resemblance to the previous backups.
Will this cause a long term problem with the S3 Object Storage, in that feeding it encrypted backup data would cause it not to be able to "share" blocks or similar? I don't believe so, as Veeam itself is in charge of how the data is stored in S3 Object Storage so can track shared data whether encrypted or not, but I have made a few incorrect Veeam-related assumptions recently so not entirely sure.
Thanks,
Lewis.
Statistics: Posted by Lewpy — Mar 30, 2024 8:32 am
