Using Fortanix Data Security Manager for Veeam Backup Encryption

1.0 Introduction

This article provides detailed steps for integrating Fortanix Data Security Manager (DSM) with Veeam Backup and Replication to enable backup encryption. It furnishes users with the necessary information to establish seamless communication and authentication between Fortanix DSM and Veeam Backup and Replication, employing Key Management Interoperability Protocol (KMIP) and certificates.

It also contains the information that a user requires for:

  • Setting up Fortanix DSM.
  • Creating client certificate.
  • Configuring Veeam Backup and Replication Key Management System (KMS) settings.

1.1 Fortanix DSM with Veeam Backup and Replication

Veeam offers support for Fortanix DSM to manage the encryption keys for encrypting sensitive data at rest. Fortanix DSM is a specialized device or service that provides secure key management and cryptographic operations through industry-standard APIs.

Veeam uses Fortanix DSM to generate, store , and provide authorized access to data encryption keys. Veeam communicates with the Fortanix DSM using the KMIP standard to allow authorized use of these keys.

2.0 KMIP and Certificate Requirements

The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between Veeam Backup and Replication and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to authenticate a KMIP client to successfully create, retrieve, and use the keys stored inside Fortanix DSM.

X.509 certificates are used to facilitate communication and authentication for both Fortanix DSM and Veeam Backup and Replication. The Certificate Authority (CA) signs the server certificate deployed with Fortanix DSM . You can generate a client certificate for the Veeam Backup and Replication server using tools like OpenSSL. You can either obtain public-signed certificates or use a self-signed certificate. For more information, refer to Section 3.1: Client Certificate.

2.1 Prerequisites

Ensure the following:

  • Virtual Machine (VM) instances for Veeam Backup and Replication and Veeam Client.
  • Fortanix DSM version 4.19 or later.
  • Fortanix DSM is installed and operational and is accessible by Veeam Backup and Replication on port 5696 (for default) or the custom KMIP port.
  • Access to OpenSSL or any other tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.

2.2 Architecture Diagram

Veeam Backup & Replication ensures robust data security with a two-tier encryption approach. The inherent encryption of Veeam's backups is achieved using Data Encryption Keys (DEKs). To enhance backup security, VBR employs Fortanix DSM to generate 2048-bit asymmetric RSA keys.

When Veeam backup jobs are created, the DEKs undergo encryption using Fortanix's RSA public key, introducing an additional layer of security. During the decryption process, Fortanix DSM, holding the corresponding RSA private key, comes into play. This private key enables the decryption of the Data Encryption Keys (DEKs) used for encrypting the backups.

After the DEKs are decrypted, they are employed to decrypt the actual backup data, making it accessible for restoration. Fortanix DSM proficiently manages and stores these cryptographic keys, ensuring a smooth process of encryption and decryption whenever required.

KMS_Integration_fortanix slides-1.jpg

Figure 1: Encryption Workflow

KMS_Integration_fortanix slides-2.jpg

Figure 2: Decryption Workflow

3.0 Configuring Fortanix DSM Account

Perform the following steps to facilitate KMIP clients' authentication using certificates within Fortanix DSM:

  1. Log in to the Fortanix DSM UI.
  2. Click the Application icon from the menu list, and then click to create new applications (app).
    For instructions on how to add a group or app, refer to the Fortanix DSM Getting Started Guide.
  3. Enter the following details:
    • App name: This is the name to identify your Veeam Backup Replication (customizable)
    • Interface: KMIP
    • Authentication method: This will need to be updated later and the default API Key is ok at this stage.
    • Assigning the new app to groups: Keys created by Veeam Backup and Replication will be owned by this group.
      Figure 3.png Figure 3: Create An App
  4. After you have added the application, copy the app UUID from the app table view by clicking the icon for Copy UUID as shown below. You will need this app s UUID in Step 5, as it will be used as the Common Name (CN) when generating the client certificate.
    For example: CN = 5cbcfdb1-8db1-4f1a-8efc-2d9ddeb8c010
    Figure 4.png Figure 4: App UUID
  5. If an application or client needs authenticate with Fortanix DSM using a certificate, the App ID must be embedded in the certificate. This can be accomplished in one of the following ways:
    • Client Certificate
    • Server Certificate

3.1 Client Certificate

Veeam Backup and Replication exclusively support the PKCS#11 format, while Fortanix does not accept the public_certificate in PKCS#11. Therefore, when generating certificates for both private and public keys, ensure that they are in PKCS#8 format.

To achieve this, generate a key pair using OpenSSL commands and convert the keys from PEM format to .pfx format, which is supported by Veeam Backup and Replication:

openssl req -newkey rsa:2048 -nodes -keyout /home/fortkey.pem -x509 -days 1825 -out /home/fortcert.pem
NOTE
Running this command will prompt you to provide information such as Organization, Locality, and Common Name (CN). You must enter the App UUID as the Common Name (CN).

Perform the following steps:

  1. Change the authentication, as Veeam Backup and Replication supports certificate-based authentication to communicate with Fortanix DSM.
    1. Select the App and click the drop down arrow next to Change authentication method.
      Figure 5.png Figure 5: Authentication Method
    2. Select the Certificate option.
      Figure 6.png Figure 6: Select the Method
    3. Click the UPLOAD NEW CERTIFICATE option to upload the new certificate in .pem format as created in previous step.
      Figure 7.png Figure 7: Upload the New Certificate
  2. Run the following command to transform the private key to PKCS#11 for Veeam Backup and Replication:
    openssl pkey -in /home/fortkeykey.pem -traditional (this is optional)
  3. Run the following command to create .pfx for the private+public key pair and use it in Veeam Backup and Replication:
    openssl pkcs12 -export -out /home/fortr.pfx -inkey /home/fortkey.pem -in /home/fortcert.pem
    The key provided in .pfx format serves as a client certificate. It needs to be uploaded as a client certificate in the Veeam Backup and Replication KMS configuration, as outlined in Section 6.0: Integrating Fortanix KMS.

3.2 Server Certificate

This certificate serves as the server certificate for accessing the Fortanix DSM. It is required to upload it as the server certificate in Section 6.0: Integrating Fortanix KMS.

Perform the following steps:

  1. Download the server certificate from a web browser by clicking the padlock icon.
    Figure 8.png Figure 8: Download the Certificate
  2. Click the Export button to download the server certificate.
    Figure 9.png Figure 9: Certificate Details

4.0 Installing Veeam Backup and Replication

Acquire the Veeam Backup and Replication image from the Veeam Product Download Page. To know the installation steps for a seamless deployment of Veeam Backup and Replication, refer to Veeam Backup and Replication v12.1 Beta.

5.0 Installing Veeam Agent for Windows

Access the Veeam Agent for Windows by downloading it through the Veeam Agent for Windows link. After you have installed the agent, the system will prompt you to generate recovery media for the client machine.

6.0 Integrating Fortanix KMS

It is imperative to register Fortanix DSM as a Key Management Service (KMS) in Veeam Backup and Replication to ensure a secure integration.

Perform the following steps within the Veeam User Interface (UI) to facilitate this integration:

  1. Log into the Veeam Backup and Replication interface.
  2. Navigate to Credentials & Password and select the Key Management Servers.
  3. Click the Add button and it will prompt for the server URL, server certificate, and client certificate.
    Figure 10.png Figure 10: Select the Server
    NOTE
    Ensure that the default port number is set to 5696, taken care of during the installation phase.
  4. Upload the client and server certificates generated in Section 3.0: Configuring Fortanix DSM Account Step 5.
    Figure 11.png Figure 11: Upload the Client
  5. After you have provided the required information, click the OK button.
    Figure 12.png Figure 12: Summary

7.0 Managing Protection Groups

To initiate the management of Veeam Agents in Veeam Backup and Replication, create a protection group in the inventory and specify the computers intended for protection in the group settings.

To learn the steps on how to create a protection group, refer to the Create Protection Group documentation.

NOTE
  • Firewall Settings:
    • If connections fail, reporting errors like "The RPC server is unavailable" or "The network path was not found," check Firewall settings on both the Veeam client machine and the Veeam Backup and Replication server.
    • Example errors:
      • Checking Windows credentials Error: The RPC server is unavailable.
      • Failed Unable to install backup agent: failed to connect to [IP address ] Error: The network path was not found. (ERROR_BAD_NETPATH).
  • Warning - Connection Issues:
    • For warnings, verify if the Veeam client service is running and listening on port 6160. Restarting the Veeam agent service may resolve the issue.
    • Example warning:
      • Warning: Unable to update backup agent: failed to connect to [IP address ] Details: The remote procedure call was cancelled. RPC function call failed. Function name: [GetSvcVersion]. Target machine: [IP Address:6160].

After creating a protection group, Veeam Backup and Replication initiates the rescan job session to connect to computers within the protection group and perform the necessary operations on them.

8.0 Creating Backup Jobs

This section describes the steps for backing up jobs for the entire system and file share.

8.1 For the Entire System

To ensure the backup of virtual machines (VMs), it is imperative to configure a backup job. This task involves delineating specific parameters governing the methodology, destination, and timing of VM data backup. Each job can encompass one or multiple VMs. The users have the flexibility to manually initiate these jobs or schedule them for automatic execution at predefined intervals.

Perform the following steps :

  1. Launch the Veeam Backup and Replication application.
  2. In Veeam Backup and Replication Console, select the Backup Jobs option from the navigation menu and select the required backup job option, such as Windows Computer.
  3. On the New Agent Backup Job page, perform the following actions:
    1. In the Job Mode section, select the Type as Server and Mode as Managed by backup server.
    2. In the Name section, enter the required name and description of the job. Click the Next button to proceed further.
      Figure 13.png
      Figure 13: Add Details
    3. In the Computers section, click the AddProtection group. Select the required protection group from the list. Click the Next button to proceed further.
      Figure 14.png
      Figure 14: Add Protection Group Click the OK button to proceed further.
      Figure 15.png
      Figure 15: Protection Group Added
    4. In the Backup Mode section, select the Entire computer radio button to take backup of the computer image. Click the Next button to proceed further.
      Figure 16.png
      Figure 16: Select Backup Mode
    5. In the Storage section, enter the required information in the available field and then click the Advanced button to encrypt the Backup using Fortanix DSM. Click the Next button to proceed further.
      Figure 17.png
      Figure 17: Configure Storage Click the OK button to proceed further.
      Figure 18.png
      Figure 18: Storage Configured
    6. In the Guest Processing section, keep the configuration as default. Click the Next button to proceed further.
      Figure 19.png
      Figure 19: Configure Guest Processing
    7. In the Schedule section, select the required option as per your requirement. Click the Apply button to proceed further.
      Figure 20.png
      Figure 20: Schedule
    8. In the Summary section, review the configured settings to ensure they meet your requirements and confirm the creation of the backup job. For more information, refer to the Backup Jobs documentation.
  4. This backup job generates an RSA 4096-bit key on Fortanix DSM and utilizes it for the encryption and decryption of Veeam Backup files.
    Figure 21.png
    Figure 21: Graphical Representation of Veeam Backup Job
  5. Navigate to Fortanix DSM to review logs related to the encryption and decryption operations performed on Veeam backup jobs.
    Figure 22.png
    Figure 22: View Logs
    Figure 23.png
    Figure 23: Log Details

8.2 For File Share

To safeguard files and folders within a file share, it is essential to set up a file backup job. The users need to specify the method, location, and schedule for backing up data from the file share. A single job can manage one or more file shares, offering the flexibility for either manual initiation or scheduled automatic backups at specified times.

Perform the following steps:

  1. Launch the Veeam Backup and Replication application.
  2. In the Veeam Backup and Replication Console, select the Backup Jobs option from the navigation menu and select the required backup job option, such as File Share.
    Figure 24.png
    Figure 24: Add Unstructured Data Source
    Figure 25.png
    Figure 25: Unstructured Data Source Added
  3. On the New File Share page, perform the following actions:
    1. In the SMB section, update the name and description of the file share as required. Ensure that a valid IP address and directory path are enabled for file sharing and need to be backed up are accurately mentioned. Click the Next button to proceed further.
      Figure 26.png
      Figure 26: SMB File Share Tab
    2. In the Backup Repository section, click the Advanced button. Under the Storage tab, select the Enable backup file encryption checkbox. Then, select the registered Fortanix DSM Endpoint from the drop down menu for encrypting the backup files. Click the OK button to proceed further.
      Figure 27.png
      Figure 27: Storage Tab
    3. Keep the Archive Repository with same default configuration. Click the Next button to proceed further.
      Figure 28.png
      Figure 28: Archive Repository Tab
    4. In the Schedule section, select the required option as per your requirement. Click the Apply button to proceed further.
      Figure 29.png
      Figure 29: Schedule Tab
    5. In the Summary section, review the configured settings to ensure they meet your requirements and confirm the creation of the backup job.

9.0 Recovering Data By Veeam Backup and Replication

Veeam Backup and Replication offers a versatile set of data recovery operations to meet diverse needs. Users can leverage this solution for essential recovery tasks such as restoring entire virtual machines, individual files, or specific applications .

For more information, refer to Data Recovery - Quick Start Guide for VMware vSphere (veeam.com) documentation.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful