--- title: "Fortanix DSM for Veeam Backup Encryption" slug: "using-fortanix-data-security-manager-for-veeam-backup-encryption" updated: 2026-04-01T08:40:39Z published: 2026-03-19T13:09:46Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Fortanix DSM for Veeam Backup Encryption ## 1.0 Introduction This article provides detailed steps for integrating **Fortanix-Data-Security-Manager (DSM)** with **Veeam Backup and Replication** to enable backup encryption. It furnishes users with the necessary information to establish seamless communication and authentication between Fortanix DSM and Veeam Backup and Replication, employing Key Management Interoperability Protocol (KMIP) and certificates. ### 1.1 Fortanix DSM with Veeam Backup and Replication Veeam offers support for Fortanix DSM to manage the encryption keys for encrypting sensitive data at rest. Fortanix DSM is a specialized device or service that provides secure key management and cryptographic operations through industry-standard APIs. Veeam uses Fortanix DSM to generate, store, and provide authorized access to data encryption keys. Veeam communicates with the Fortanix DSM using the KMIP standard to allow authorized use of these keys. ## 2.0 KMIP and Certificate Requirements The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between Veeam Backup and Replication and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to authenticate a KMIP client to successfully create, retrieve, and use the keys stored inside Fortanix DSM. X.509 certificates are used to facilitate communication and authentication for both Fortanix DSM and Veeam Backup and Replication. The Certificate Authority (CA) signs the server certificate deployed with Fortanix DSM. You can generate a client certificate for the Veeam Backup and Replication server using tools like OpenSSL. You can either obtain public-signed certificates or use a self-signed certificate. *For more information, refer to*[*Section 6.6.1: Client Certificate*](/v1/docs/using-fortanix-data-security-manager-for-veeam-backup-encryption#661-client-certificate)*.* ## 3.0 Prerequisites Ensure the following: - Virtual Machine (VM) instances for Veeam Backup and Replication and Veeam Client. - Fortanix DSM version 4.19 or later. - Fortanix DSM is installed and operational and is accessible by Veeam Backup and Replication on port 5696 (for default) or the custom KMIP port. - Access to OpenSSL or any other tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format. ## 4.0 Product Versions Tested The following product versions were tested: - Fortanix DSM version 4.37 - Veeam Backup & Replication version 12.3 ## 5.0 Architecture Diagram Veeam Backup & Replication ensures robust data security with a two-tier encryption approach. The inherent encryption of Veeam's backups is achieved using Data Encryption Keys (DEKs). To enhance backup security, VBR employs Fortanix DSM to generate 2048-bit asymmetric RSA keys. When Veeam backup jobs are created, the DEKs undergo encryption using Fortanix's RSA public key, introducing an additional layer of security. During the decryption process, Fortanix DSM, holding the corresponding RSA private key, comes into play. This private key enables the decryption of the Data Encryption Keys (DEKs) used for encrypting the backups. After the DEKs are decrypted, they are employed to decrypt the actual backup data, making it accessible for restoration. Fortanix DSM proficiently manages and stores these cryptographic keys, ensuring a smooth process of encryption and decryption whenever required. ![KMS_Integration_fortanix slides-1.jpg](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21870514120596.png) **Figure 1: Encryption workflow** ![KMS_Integration_fortanix slides-2.jpg](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21870528515348.png) **Figure 2: Decryption workflow** ## 6.0 Configure Fortanix DSM A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections: ### 6.1 Signing Up To get started with the Fortanix DSM cloud service, you must register an account at . For example, [https://amer.smartkey.io.](https://amer.smartkey.io.) On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed [*here*](https://support.fortanix.com/hc/en-us/articles/4406135346068-Fortanix-DSM-SaaS-Global-Availability-Map) based on the application region. *For more information on how to set up the Fortanix DSM, refer to the*[*User's Guide: Sign Up for Fortanix Data Security Manager SaaS*](https://support.fortanix.com/docs/users-guide-sign-up-for-fortanix-data-security-manager-saas)*.* ### 6.2 Creating an Account Access in a web browser and enter your credentials to log in to Fortanix DSM. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(15).png) **Figure 3: Logging in** *For more information on how to set up an account in Fortanix DSM, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.* ### 6.3 Creating a Group Perform the following steps to create a group in the Fortanix DSM: 1. In the DSM left navigation panel, click the **Groups**menu item, and then click **ADD GROUP** to create a new group. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-Group(24).png) **Figure 4: Add groups** 2. On the**Adding new group**page: 1. **Title**: Enter a name for your group. 2. **Description**(optional): Enter a short description of the group. 3. Click **SAVE**to create the new group. The new group is added to the Fortanix DSM successfully. ### 6.4 Creating an Application Perform the following steps to create an application (app) in the Fortanix DSM: 1. In the DSM left navigation panel, click the **Apps**menu item, and then click **ADD APP** to create a new app. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-App(22).png) **Figure 5: Add application** 2. On the **Adding new app**page: 1. **App name**: Enter the name for your application. 2. **ADD DESCRIPTION**(optional): Enter a short description of the application. 3. **Authentication method**: Select the default **API Key**as the authentication method from the drop down menu. *For more information on these authentication methods, refer to the*[*User's Guide: Authentication*](https://support.fortanix.com/docs/users-guide-authentication)*.* 4. **Assigning the new app to groups**: Select the group created in [*Section 6.3: Creating a Group*](/v1/docs/using-fortanix-data-security-manager-for-veeam-backup-encryption#64-creating-an-application)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#43-creating-a-group)from the list. 3. Click **SAVE**to add the new application. The new application is added to the Fortanix DSM successfully. ### 6.5 Copying the App UUID Perform the following steps to copy the app UUID from the Fortanix DSM: 1. In the DSM left navigation panel, click the **Apps**menu item, and then click the app created in [*Section 6.4: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-for-veeam-backup-encryption#65-copying-the-app-uuid)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#44-creating-an-application)to go to the detailed view of the app. 2. From the top of the app’s page, click the copy icon ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1747062862398.png) next to the app **UUID**to copy it to use in [*Section 6.6.1: Client Certificate*](/v1/docs/using-fortanix-data-security-manager-for-veeam-backup-encryption#661-client-certificate) as the value of Common Name (CN) to generate the self-signed certificate. ### 6.6 Generating a Certificate If an application or client needs to authenticate with Fortanix DSM using a certificate, the app ID must be embedded in the certificate. This can be accomplished using the following: - Client Certificate - Server Certificate #### 6.6.1 Client Certificate Perform the following steps: 1. Run the following command to generate a private key and a self-signed X.509 certificate using OpenSSL: ```bash openssl req -newkey rsa:2048 -nodes -keyout /home/fortkey.pem -x509 -days 1825 -out /home/fortcert.pem ``` > [!NOTE] > NOTE > > Running this command will prompt you to provide information such as Organization, Locality, and Common Name (CN). You must enter the App UUID as the Common Name (CN) as copied in [*Section 6.5: Copying the App UUID*](/v1/docs/using-fortanix-data-security-manager-for-veeam-backup-encryption#65-copying-the-app-uuid)*.* 2. Run the following command to generate a `.pfx` file (PKCS#12 format) that combines the private key and the certificate. This file format is necessary for integration with Veeam Backup and Replication. ```bash openssl pkcs12 -export -out /home/fortr.pfx -inkey /home/fortkey.pem -in /home/fortcert.pem ``` The generated `.pfx` file contains the client certificate and private key. It needs to be uploaded as a client certificate in the Veeam Backup and Replication KMS configuration, as outlined in [*Section 9.0: Integrating Fortanix KMS*](/v1/docs/using-fortanix-data-security-manager-for-veeam-backup-encryption#90-integrating-fortanix-kms). #### 6.6.2 Updating the Authentication Method Perform the following steps to change the authentication method for client certificate: 1. Go to the detailed view of the app created in**[*Section 6.4: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-for-veeam-backup-encryption#64-creating-an-application)**and click **Change authentication method**and select **Certificate**to change the authentication method to Certificate. 2. Click **SAVE**. 3. On the **Add certificate**dialog box, click **UPLOAD NEW CERTIFICATE**to upload the certificate file or paste the content of the certificate generated in [*Section 6.6.1: Client Certificate*](/v1/docs/using-fortanix-data-security-manager-for-veeam-backup-encryption#661-client-certificate). 4. Select both check boxes to confirm your understanding of the action. 5. Click **UPDATE**to save the changes. #### 6.6.3 Server Certificate This certificate serves as the server certificate for accessing the Fortanix DSM. It is required to upload it as the server certificate in [*Section 9.0: Integrating Fortanix KMS*](/v1/docs/using-fortanix-data-security-manager-for-veeam-backup-encryption#90-integrating-fortanix-kms). Perform the following steps: 1. Download the server certificate from a web browser by clicking the padlock icon. ![Figure 8.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872525050260.png) **Figure 6: Download the certificate** 2. Click **Export** to download the server certificate. ![Figure 9.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872505435284.png) **Figure 7: Certificate details** ## 7.0 Installing Veeam Backup and Replication Acquire the Veeam Backup and Replication image from the Veeam Product Download Page. *For more information on how to seamlessly install the deployment of Veeam Backup and Replication, refer to*[*Veeam Backup and Replication v12.1 Beta*](https://www.veeam.com/downloads.html)*.* ## 8.0 Installing Veeam Agent for Windows Access the Veeam Agent for Windows by downloading it through the [*Veeam Agent for Windows*](https://helpcenter.veeam.com/docs/agentforwindows/userguide/installation_process.html?ver=60)**link. After you have installed the agent, the system will prompt you to generate recovery media for the client machine. ## 9.0 Integrating Fortanix KMS It is imperative to register Fortanix DSM as a Key Management Service (KMS) in Veeam Backup and Replication to ensure a secure integration. Perform the following steps within the Veeam User Interface (UI) to facilitate this integration: 1. Log in to the Veeam Backup and Replication interface. 2. Navigate to **Credentials & Password** and select the **Key Management Servers**. ![Figure 10.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872525080980.png) **Figure 8: Select the server** 3. Click **Add.** The **Add KMS Server** dialog box will appear. 4. In the **Add KMS Server** dialog box, ![Figure 11.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872505468564.png) **Figure 9: Upload the client** 1. Configure the following settings: - **Server**: Ensure to add the Fortanix DSM host name. For example, `eu.smartkey.io`. - **Port:**Ensure that the default port number is set to **5696**, taken care of during the installation phase. - **Server certificate**: Upload the server certificate generated in [*Section 6.6.3: Server Certificate*](/v1/docs/using-fortanix-data-security-manager-for-veeam-backup-encryption#663-server-certificate)*.* - **Client Certificate**: Upload the client certificate generated in [*Section 6.6.1: Client Certificate*](/v1/docs/using-fortanix-data-security-manager-for-veeam-backup-encryption#661-client-certificate)*.* - **Description:**Add the description, if required. 2. Click **OK**. 5. After you have provided the required information on **Key Management Servers**, click **OK**. ![Figure 12.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872505484308.png) **Figure 10: Summary** > [!NOTE] > NOTE > > Verify that the keys are successfully generated in Fortanix DSM. If the keys are missing, the integration has failed and requires troubleshooting. ## 10.0 Managing Protection Groups To initiate the management of Veeam Agents in Veeam Backup and Replication, create a protection group in the inventory and specify the computers intended for protection in the group settings. *To learn the steps on how to create a protection group, refer to*[*Create Protection Group*](https://helpcenter.veeam.com/docs/backup/agents/protection_group_add.html?ver=120)*.* > [!NOTE] > NOTE > > - Firewall Settings: > - If connections fail, reporting errors like "The RPC server is unavailable" or "The network path was not found," check Firewall settings on both the Veeam client machine and the Veeam Backup and Replication server. > - Example errors: > - Checking Windows credentials Error: The RPC server is unavailable. > - Failed. Unable to install backup agent: failed to connect to [IP address ] Error: The network path was not found. (ERROR_BAD_NETPATH). > - Warning - Connection Issues: > - For warnings, verify if the Veeam client service is running and listening on port 6160. Restarting the Veeam agent service may resolve the issue. > - Example warning: > - Warning: Unable to update backup agent: failed to connect to [IP address ] Details: The remote procedure call was cancelled. RPC function call failed. Function name: [GetSvcVersion]. Target machine: [IP Address:6160]. After creating a protection group, Veeam Backup and Replication initiates the rescan job session to connect to computers within the protection group and perform the necessary operations on them. ## 11.0 Creating Backup Jobs This section describes the steps for backing up jobs for the entire system and file share. ### 11.1 For the Entire System To ensure the backup of virtual machines (VMs), it is imperative to configure a backup job. This task involves delineating specific parameters governing the methodology, destination, and timing of VM data backup. Each job can encompass one or multiple VMs. The users have the flexibility to manually initiate these jobs or schedule them for automatic execution at predefined intervals. Perform the following steps : 1. Launch the Veeam Backup and Replication application. 2. In Veeam Backup and Replication Console, select **Backup Jobs** from the navigation menu and select the required backup job, such as **Windows Computer**. 3. On the **New Agent Backup Job** page, perform the following actions: 1. In the **Job Mode** section, select the **Type** as **Server** and **Mode** as **Managed by backup server**. 2. In the **Name**section, enter the required name and description of the job. Click **Next** to proceed further. ![Figure 13.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872525124628.png) **Figure 11: Add details** 3. In the **Computers** section, click the **Add** → **Protection group**. Select the required protection group from the list. Click **Next** to proceed further. ![Figure 14.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872525138836.png) **Figure 12: Add protection group** 4. Click **OK** to proceed further. ![Figure 15.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872525151636.png) **Figure 13: Protection group added** 5. In the **Backup Mode** section, select **Entire computer** to take backup of the computer image. Click **Next** to proceed further. ![Figure 16.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872505546644.png) **Figure 14: Select backup mode** 6. In the **Storage** section, enter the required information in the available field and then click **Advanced** to encrypt the Backup using Fortanix DSM. ![Figure 17.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872505562132.png) **Figure 15: Configure storage** 7. On the **Advanced Settings** dialog box, under the **Storage** tab, ![Figure 18.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872525217428.png) **Figure 16: Storage configured** 1. Select the **Enable backup file encryption** check box. Then, select the registered Fortanix DSM Endpoint from the drop down menu for encrypting the backup files. 2. Click **OK**. 8. In the **Storage** section, click **Next** to proceed further. 9. In the **Guest Processing** section, keep the configuration as the default. Click **Next** to proceed further. ![Figure 19.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872525229972.png) **Figure 17: Configure guest processing** 10. In the **Schedule** section, select the required option as per your requirement. Click **Apply** to proceed further. ![Figure 20.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872525244564.png) **Figure 18: Schedule** 11. In the **Summary** section, review the configured settings to ensure they meet your requirements and confirm the creation of the backup job. *For more information, refer to*[*Backup Jobs*](https://helpcenter.veeam.com/docs/backup/vsphere/backup_job.html?ver=120)*.* 4. This backup job generates an RSA 4096-bit key on Fortanix DSM and utilizes it for the encryption and decryption of Veeam Backup files. ![Figure 21.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872525260052.png) **Figure 19: Graphical Representation of Veeam Backup Job** 5. Navigate to Fortanix DSM to review logs related to the encryption and decryption operations performed on Veeam backup jobs. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Veeam-1.png) **Figure 20: View logs** ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Veeam-2(1).png) **Figure 21: Log details** ### 11.2 For File Share To safeguard files and folders within a file share, it is essential to set up a file backup job. The users need to specify the method, location, and schedule for backing up data from the file share. A single job can manage one or more file shares, offering the flexibility for either manual initiation or scheduled automatic backups at specified times. Perform the following steps: 1. Launch the Veeam Backup and Replication application. 2. In the Veeam Backup and Replication Console, select **Backup Jobs** from the navigation menu and select the required backup job, such as **File Share**. ![Figure 24.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872505697556.png) **Figure 22: Add an unstructured data source** ![Figure 25.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872505710356.png) **Figure 23: Unstructured data source added** 3. On the **New File Share** page, perform the following actions: 1. In the **SMB** section, update the name and description of the file share as required. Ensure that a valid IP address and directory path are enabled for file sharing and need to be backed up are accurately mentioned. Click **Next** to proceed further. ![Figure 26.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872505719956.png) **Figure 24: SMB file share tab** 2. In the **Backup Repository** section, click **Advanced**. Under the **Storage** tab, select the **Enable backup file encryption** check box. Then, select the registered **Fortanix DSM Endpoint** from the drop down menu for encrypting the backup files. Click **OK** to proceed further. ![Figure 27.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872525344916.png) **Figure 25: Storage tab** 3. Keep the **Archive Repository with same default configuration**. Click **Next** to proceed further. ![Figure 28.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872505754004.png) **Figure 26: Archive repository tab** 4. In the **Schedule** section, select the required option as per your requirement. Click **Apply** to proceed further. ![Figure 29.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/21872505769876.png) **Figure 27: Schedule tab** 5. In the **Summary** section, review the configured settings to ensure they meet your requirements and confirm the creation of the backup job. ## 12.0 Recovering Data By Veeam Backup and Replication Veeam Backup and Replication offers a versatile set of data recovery operations to meet diverse needs. Users can leverage this solution for essential recovery tasks such as restoring entire virtual machines, individual files, or specific applications. *For more information, refer to*[*Data Recovery - Quick Start Guide for VMware vSphere (veeam.com)*](https://helpcenter.veeam.com/docs/backup/qsg_vsphere/restore_operations.html?ver=120)*.* Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface. ## Related - [Fortanix DSM with Bloombase Storesafe](/using-fortanix-data-security-manager-with-bloombase-storesafe.md) - [Fortanix DSM as External KMIP in Rubrik](/using-fortanix-data-security-manager-as-external-kmip-in-rubrik.md) - [Installation on AWS](/fortanix-data-security-manager-installation-on-aws.md) - [Troubleshooting](/troubleshooting.md) - [HSM Gateway](/users-guide-hsm-gateway.md)