Server storage encryption and backup

Good afternoon all,
I have Veeam back up and replication for my backup solution.
I am running nextcloud (in the process of setting it up)

Bit of information on my setup.
Hyper-v server running the following
1 x nextcloud running on ubuntu 22.04
1 x zoraxy reverse proxy
1 x file server
1 x backup server (veeam)

My nextcloud is setup so that I have 1 VHDX file on the physical server for the OS drive of the nextcloud and the user data is stored on a network share drive on the file server (second VHDX file).

I was looking at the different types of encryption as well as the backup and was considering the server side storage encryption is best to protect all the data. I chose this because if anyone steals the second VHDX file off the file server it will be encrypted assuming they don’t manage to get a hold of the nextcloud VM drive to get the key. If they do then I think I got far bigger problems.

My though was then to use veeam to backup to a NAS drive located also at my house (and later a second one off site) which is also encyrypted by the veeam backup software.

I have a few questions regarding this setup.

  1. Is it possible for veeam to backup this data when it is encrypted? From all reports I read that it is possible to still read the metadata, file name etc even if it is encrypted.
  2. Will it be possible to use veeam to do file indexing and backup individual files? I am planning on doing a backup of the whole VM including the second drive (which should be protected by veeams encryption if the NAS’s ever got stolen.
  3. Is there any other suggestion as to what would be a better backup solution for this given that I only, at this stage, have 2 x NAS boxes to backup to and 1 machine as a server (plans for 2 later but lack of money got in the way).

if you use server-side encryption, data on the network share will be stored encrypted, so it cannot be accessed independently without encryption.

The file content itself is encrypted, you still know the file name, when it was created, a rough size of it, …

The issue with server-side encryption, it is designed for external storage that you do not control, so you don’t have to trust this 3rd party. If you don’t have this constraint, there are/can be solutions that are more efficient/reliable. Regarding storage that is protected during it is at rest, I’d consider some file system encryption that is handled by the operating system. They are faster/more reliable I suppose.

The complicated thing with server-side encryption is that data from the database is used to verify the files (signature). If you want to restore, you need the data and database from the same time, and you probably need to restore the full backup to retrieve a file. Without encryption it will be easier to retrieve a file, e.g. if someone needs a file from last week.

Therefore:

this is less of a problem since you need to recover everything completely.

Without encryption, it makes more sense and is easier to do incremental backups.

Anyhow, with encryption and several machines, do test and run a full recovery procedure if you are able to restore data.

thankyou all for the insight. it gives me some things to think about.