Description
Backup Exec provides support for encrypted VMware Virtual Machines starting with VMware 6.5..
Backup of Encrypted VMs
- Backup Exec allows you to backup up encrypted VMs.
- The Virtual Machines must be preconfigured for VM Encryption per VMware Documentation. Encrypt an Existing Virtual Machine or Virtual Disk Virtual Machine Encryption
- VMware 6.5, 6.7, 7.0, 8.0 & 9.0 Required.
- NBDSSL or Network transport mode with SSL is supported for backing up encrypted virtual disks or machines.
- Encrypted VM using HotAdd method can be backed up if Backup Exec server VM is encrypted as well. Permissions required - Cryptographer.Access, Cryptographer.AddDisk
- No additional job settings are required except for the Transport mode and optional Backup Set Software or Hardware Encryption.
- File GRT and Application GRT are supported during backup.
- Backup of Encrypted Virtual Machines are backed up and stored in Unencrypted format “at rest” on the target media. (VMware VDDK Limitation)
- NOTE: When you enable Backup Exec Software encryption for GRT-enabled backup jobs sent to disk, deduplication, and disk cartridge device, Backup Exec does not store the granular backup sets on disk in encrypted form. Only the backup sets for the backup sources that do not support GRT are stored in encrypted form.
- All the backup sets for backup jobs sent to cloud, Open Storage, and tape drives are stored encrypted if Backup Exec Software or Hardware Encryption (Tape) is enabled in the Job.
- Backup Exec's "Ransomware Resilience” feature enabled by default is useful for providing an extra layer of security to disk storage hosted on a Media Server. How Backup Sets are protected by Ransomware Resiliency feature in Backup Exec Backup Exec Ransomware Resilience Best Practices
Restore of Encrypted VMs
- You can back up an encrypted VM and restore it only as unencrypted.
- You can restore VM's back to VMware datastores where the VM Encryption policy is assigned. Then re encrypt the VM manually.
- The common Key Management Server (KMS) or Key Management Server is not required during a restore job.
- Restore or Redirect restores of VM's can be performed back to Vcenter, ESXi hosts, and NTFS file systems.
- File GRT and Application GRT are supported during restore.
Please note that this article references sites not owned or maintained by Veritas and, as such, Veritas is not responsible for the content portrayed on such sites, including any revisions to or deletions of content or third-party software on which this article relies. User is responsible for conducting all necessary due diligence prior to following the instructions described in this article.
Virtual Machine Encryption Interoperability
Virtual Machine Encryption Best Practices
How vSphere Virtual Machine Encryption Protects Your Environment
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.