1.0 Introduction
This article provides detailed steps for integrating Fortanix-Data-Security-Manager (DSM) with Veeam Backup & Replication to enable backup encryption. It furnishes users with the necessary information to establish seamless communication and authentication between Fortanix DSM and Veeam Backup and Replication, employing Key Management Interoperability Protocol (KMIP) and certificates.
It also contains the information that a user requires for:
Setting up Fortanix DSM.
Creating client certificate.
Configuring Veeam Backup and Replication Key Management System (KMS) settings.
1.1 Fortanix DSM with Veeam Backup and Replication
Veeam offers support for Fortanix DSM to manage the encryption keys for encrypting sensitive data at rest. Fortanix DSM is a specialized device or service that provides secure key management and cryptographic operations through industry-standard APIs.
Veeam uses Fortanix DSM to generate, store , and provide authorized access to data encryption keys. Veeam communicates with the Fortanix DSM using the KMIP standard to allow authorized use of these keys.
2.0 KMIP and Certificate Requirements
The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between Veeam Backup and Replication and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to authenticate a KMIP client to successfully create, retrieve, and use the keys stored inside Fortanix DSM.
X.509 certificates are used to facilitate communication and authentication for both Fortanix DSM and Veeam Backup and Replication. The Certificate Authority (CA) signs the server certificate deployed with Fortanix DSM . You can generate a client certificate for the Veeam Backup and Replication server using tools like OpenSSL. You can either obtain public-signed certificates or use a self-signed certificate. For more information, refer to Section 5.5.1: Client Certificate.
2.1 Prerequisites
Ensure the following:
Virtual Machine (VM) instances for Veeam Backup and Replication and Veeam Client.
Fortanix DSM version 4.19 or later.
Fortanix DSM is installed and operational and is accessible by Veeam Backup and Replication on port 5696 (for default) or the custom KMIP port.
Access to OpenSSL or any other tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.
3.0 Product Versions Tested
Fortanix DSM version 4.37
Veeam Backup & Replication version 12.3
4.0 Architecture Diagram
Veeam Backup & Replication ensures robust data security with a two-tier encryption approach. The inherent encryption of Veeam's backups is achieved using Data Encryption Keys (DEKs). To enhance backup security, VBR employs Fortanix DSM to generate 2048-bit asymmetric RSA keys.
When Veeam backup jobs are created, the DEKs undergo encryption using Fortanix's RSA public key, introducing an additional layer of security. During the decryption process, Fortanix DSM, holding the corresponding RSA private key, comes into play. This private key enables the decryption of the Data Encryption Keys (DEKs) used for encrypting the backups.
After the DEKs are decrypted, they are employed to decrypt the actual backup data, making it accessible for restoration. Fortanix DSM proficiently manages and stores these cryptographic keys, ensuring a smooth process of encryption and decryption whenever required.
Figure 1: Encryption Workflow
Figure 2: Decryption Workflow
5.0 Configure Fortanix DSM
A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:
5.1 Signing Up
To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.
For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.
5.2 Creating an Account
Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.
Figure 3: Logging In
5.3 Creating a Group
Perform the following steps to create a group in the Fortanix DSM:
Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.
Figure 4: Add Groups
On the Adding new group page, enter the following details:
Title: Enter a title for your group.
Description (optional): Enter a short description for the group.
Click the SAVE button to create the new group.
The new group has been added to the Fortanix DSM successfully.
5.4 Creating an Application
Perform the following steps to create an application (app) in the Fortanix DSM:
Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.
Figure 5: Add Application
On the Adding new app page, enter the following details:
App name: Enter the name of your application.
Interface (optional): Select the KMIP option as interface type from the drop down menu.
ADD DESCRIPTION (optional): Enter a short description for the application.
Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.
Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.
Click the Save button to add the new application.
The new application has been added to the Fortanix DSM successfully.
5.5 Copying the App UUID
Perform the following steps to copy the app UUID from the Fortanix DSM:
Click the Apps menu item in the DSM left navigation bar and click the app created in the Section 5.4: Creating an Application to go to the detailed view of the app.
From the top of the app’s page, copy the app UUID to be used in Section 5.5.1: Client Certificate as the value of Common Name (CN) to generate the self-signed certificate.
If an application or client needs authenticate with Fortanix DSM using a certificate, the app ID must be embedded in the certificate. This can be accomplished in one of the following ways:
Client Certificate
Server Certificate
5.5.1 Client Certificate
Veeam Backup and Replication exclusively support the PKCS#1 format, while Fortanix does not accept the public_certificate in PKCS#1. Therefore, when generating certificates for private keys, ensure that they are in PKCS#8 format.
To achieve this, generate a key pair using OpenSSL commands and convert the keys from PEM format to .pfx format, which is supported by Veeam Backup and Replication:
openssl req -newkey rsa:2048 -nodes -keyout /home/fortkey.pem -x509 -days 1825 -out /home/fortcert.pemNOTE
Running this command will prompt you to provide information such as Organization, Locality, and Common Name (CN). You must enter the App UUID as the Common Name (CN).
Perform the following steps to prepare and convert a private key and certificate into a PKCS#12 (.pfx) format:
Run the following command to transform the private key to PKCS#1 for Veeam Backup and Replication:
openssl pkey -in /home/fortkeykey.pem -traditional (this is optional)Run the following command to create
.pfxfor theprivate+publickey pair and use it in Veeam Backup and Replication:openssl pkcs12 -export -out /home/fortr.pfx -inkey /home/fortkey.pem -in /home/fortcert.pemThe key provided in
.pfxformat serves as a client certificate. It needs to be uploaded as a client certificate in the Veeam Backup and Replication KMS configuration, as outlined in Section 8.0: Integrating Fortanix KMS.
5.5.2 Updating the Authentication Method
Perform the following steps to change the authentication method for client certificate:
Go to the detailed view of the app created in Section 5.4: Creating an Application and click the Change authentication method button and select the Certificate option to change the authentication method to Certificate.
Click the SAVE button.
On the Add certificate dialog box, click the UPLOAD NEW CERTIFICATE button to upload the certificate file or paste the content of the certificate generated in previous section.
Select both the check boxes to confirm your understanding about the action.
Click the UPDATE button to save the changes.
5.5.3 Server Certificate
This certificate serves as the server certificate for accessing the Fortanix DSM. It is required to upload it as the server certificate in Section 8.0: Integrating Fortanix KMS.
Perform the following steps:
Download the server certificate from a web browser by clicking the padlock icon.
Figure 6: Download the Certificate
Click the Export button to download the server certificate.
Figure 7: Certificate Details
6.0 Installing Veeam Backup and Replication
Acquire the Veeam Backup and Replication image from the Veeam Product Download Page. To know the installation steps for a seamless deployment of Veeam Backup and Replication, refer to Veeam Backup and Replication v12.1 Beta.
7.0 Installing Veeam Agent for Windows
Access the Veeam Agent for Windows by downloading it through the Veeam Agent for Windows link. After you have installed the agent, the system will prompt you to generate recovery media for the client machine.
8.0 Integrating Fortanix KMS
It is imperative to register Fortanix DSM as a Key Management Service (KMS) in Veeam Backup and Replication to ensure a secure integration.
Perform the following steps within the Veeam User Interface (UI) to facilitate this integration:
Log into the Veeam Backup and Replication interface.
Navigate to Credentials & Password and select the Key Management Servers.
Click the Add button and it will prompt for the server URL, server certificate, and client certificate.
Figure 8: Select the Server
NOTE
Ensure that the default port number is set to 5696, taken care of during the installation phase.
Upload the client and server certificates generated in Step 4 in Section 5.5: Copying an API Key.
Figure 9: Upload the Client
After you have provided the required information, click the OK button.
Figure 10: Summary
9.0 Managing Protection Groups
To initiate the management of Veeam Agents in Veeam Backup and Replication, create a protection group in the inventory and specify the computers intended for protection in the group settings.
To learn the steps on how to create a protection group, refer to the Create Protection Group documentation.
NOTE
Firewall Settings:
If connections fail, reporting errors like "The RPC server is unavailable" or "The network path was not found," check Firewall settings on both the Veeam client machine and the Veeam Backup and Replication server.
Example errors:
Checking Windows credentials Error: The RPC server is unavailable.
Failed Unable to install backup agent: failed to connect to [IP address ] Error: The network path was not found. (ERROR_BAD_NETPATH).
Warning - Connection Issues:
For warnings, verify if the Veeam client service is running and listening on port 6160. Restarting the Veeam agent service may resolve the issue.
Example warning:
Warning: Unable to update backup agent: failed to connect to [IP address ] Details: The remote procedure call was cancelled. RPC function call failed. Function name: [GetSvcVersion]. Target machine: [IP Address:6160].
After creating a protection group, Veeam Backup and Replication initiates the rescan job session to connect to computers within the protection group and perform the necessary operations on them.
10.0 Creating Backup Jobs
This section describes the steps for backing up jobs for the entire system and file share.
10.1 For the Entire System
To ensure the backup of virtual machines (VMs), it is imperative to configure a backup job. This task involves delineating specific parameters governing the methodology, destination, and timing of VM data backup. Each job can encompass one or multiple VMs. The users have the flexibility to manually initiate these jobs or schedule them for automatic execution at predefined intervals.
Perform the following steps :
Launch the Veeam Backup and Replication application.
In Veeam Backup and Replication Console, select the Backup Jobs option from the navigation menu and select the required backup job option, such as Windows Computer.
On the New Agent Backup Job page, perform the following actions:
In the Job Mode section, select the Type as Server and Mode as Managed by backup server.
In the Name section, enter the required name and description of the job. Click the Next button to proceed further.
Figure 11: Add Details
In the Computers section, click the Add → Protection group. Select the required protection group from the list. Click the Next button to proceed further.
Figure 12: Add Protection Group
Click the OK button to proceed further.
Figure 13: Protection Group Added
In the Backup Mode section, select the Entire computer radio button to take backup of the computer image. Click the Next button to proceed further.
Figure 14: Select Backup Mode
In the Storage section, enter the required information in the available field and then click the Advanced button to encrypt the Backup using Fortanix DSM. Click the Next button to proceed further.
Figure 15: Configure Storage
Click the OK button to proceed further.
Figure 16: Storage Configured
In the Guest Processing section, keep the configuration as default. Click the Next button to proceed further.
Figure 17: Configure Guest Processing
In the Schedule section, select the required option as per your requirement. Click the Apply button to proceed further.
Figure 18: Schedule
In the Summary section, review the configured settings to ensure they meet your requirements and confirm the creation of the backup job. For more information, refer to the Backup Jobs documentation.
This backup job generates an RSA 4096-bit key on Fortanix DSM and utilizes it for the encryption and decryption of Veeam Backup files.
Figure 19: Graphical Representation of Veeam Backup Job
Navigate to Fortanix DSM to review logs related to the encryption and decryption operations performed on Veeam backup jobs.
Figure 20: View Logs
Figure 21: Log Details
10.2 For File Share
To safeguard files and folders within a file share, it is essential to set up a file backup job. The users need to specify the method, location, and schedule for backing up data from the file share. A single job can manage one or more file shares, offering the flexibility for either manual initiation or scheduled automatic backups at specified times.
Perform the following steps:
Launch the Veeam Backup and Replication application.
In the Veeam Backup and Replication Console, select the Backup Jobs option from the navigation menu and select the required backup job option, such as File Share.
Figure 22: Add Unstructured Data Source
Figure 23: Unstructured Data Source Added
On the New File Share page, perform the following actions:
In the SMB section, update the name and description of the file share as required. Ensure that a valid IP address and directory path are enabled for file sharing and need to be backed up are accurately mentioned. Click the Next button to proceed further.
Figure 24: SMB File Share Tab
In the Backup Repository section, click the Advanced button. Under the Storage tab, select the Enable backup file encryption checkbox. Then, select the registered Fortanix DSM Endpoint from the drop down menu for encrypting the backup files. Click the OK button to proceed further.
Figure 25: Storage Tab
Keep the Archive Repository with same default configuration. Click the Next button to proceed further.
Figure 26: Archive Repository Tab
In the Schedule section, select the required option as per your requirement. Click the Apply button to proceed further.
Figure 27: Schedule Tab
In the Summary section, review the configured settings to ensure they meet your requirements and confirm the creation of the backup job.
11.0 Recovering Data By Veeam Backup and Replication
Veeam Backup and Replication offers a versatile set of data recovery operations to meet diverse needs. Users can leverage this solution for essential recovery tasks such as restoring entire virtual machines, individual files, or specific applications .
For more information, refer to Data Recovery - Quick Start Guide for VMware vSphere (veeam.com) documentation.