Encryption password lost - Install Enterprise Manager afterwards?

[JeWe]

Hi all,

the setting was overdue, we finally use encryption for our backups. As a little bit of paranoia can't be wrong for an admin, what if I lose the encryption password? Thankfully, I can use the Enterprise Manager. Now I'm asking myself, if I should install the Enterprise Manager at once. We are using just one backup server at the moment.
My idea: In case of losing the password, would it be possible to recover it with the Enterprise Manager afterwards? So I realize I can't remember the password anymore. Now I'm installing Enterprise Manager and get the possibility to recover it? Would this be possible? Or does Enterprise Manager have to be installed before? From my understanding, this should be no problem?
I know, in case of an emergency this way would be kind of stressful...

Regards,
Jens

[Regnor]

I don't know the technical details good enough, but as I understand, the Enterprise Manager generates a key which is used to encrypt the actual encryption key/password. If you install the Enterprise manager and enable password loss protection, it will protect any future encrypted backup but not the past ones.
I'm sure someone else can give a better technical explaination...

But why don't you install the Enterprise manager from the beginning, if you fear a password loss? We Install EM as a default in every environment which uses encryption.

[JeWe]

Thanks for answering. Well, can answer myself after testing it
No, this won't work as this will happen:
https://www.veeam.com/kb1979

So it seems I have to set a new password to make it work. Didn't install Enterprise Manager because of ... performance concerns. I don't need the functionality in general, but as I'm testing a little bit, seems helpful overall.

[JeWe]

Confirmed, after setting a new password with activated Enterprise Manager keys, I can restore a backup file without the password. Case closed

[Regnor]

Thanks for the feedback
I haven't noticed any negative performance impacts so far. It's recommended to separate the backup server and enterprise manager, but depending on the size and if you only need the key recovery, I install it on the same box. Just don't forget to export the Enterprise manager keyset and store it at a safe place. Because if you lose the backupserver, the EM also won't be available for key recovery.

[JeWe]

Thanks also for the hint regarding export of the keyset. Would have surely missed that part

Happy weekend to you!

[JeWe]

Another update, I have to take back my words, we don't have to set a new encryption password after installing Enterprise Manager. Getting along with further testing, some days after, I am able to decrypt even the backups with the "old" password. Just to report a correct feedback