Standalone backup agents for Linux, Mac, AIX & Solaris workloads on-premises or in the public cloud
Post Reply
Sebbo
Influencer
Posts: 16
Liked: never
Joined: Aug 11, 2016 12:08 pm
Contact:

Veeam Agent for Linux: Backup Encryption

Post by Sebbo »

Hey,
first of all: Thanks for this beta!

I've a question regarding the encryption of backups, because I couldn't find any information about this.

Does any encryption exist? Is a backup job currently en- and decrypting backups?

I only saw, that the backup files are binaries, but it's maybe still possible to restore it without VAL, if somebody knows, how the file was created.

Code: Select all

# file Daily_File_Backup/Daily_File_Backup_2016-08-11T110100.vbk
Daily_File_Backup/Daily_File_Backup_2016-08-11T110100.vbk: data
It would be great, if there is a possibility to en- or disable the encryption. You also should be able to set a passphrase.
PTide
Product Manager
Posts: 6408
Liked: 724 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by PTide » 1 person likes this post

Hi and welcome to the community!
Does any encryption exist? Is a backup job currently en- and decrypting backups?
Currently there is no encryption.
I only saw, that the backup files are binaries, but it's maybe still possible to restore it without VAL, if somebody knows, how the file was created.
First of all, why would someone attepmt to restore a .vbk without VAL instead of just taking VAL and restoring the stuff in a normal way? Secondly, although it is possible theoretically, that would be almost the same (or even more difficult) as recreating VAL from scratch with the only difference that you'd have to fit in the predefined backup format instead of inventing your own, which makes it even more diffucult to accomplish.
It would be great, if there is a possibility to en- or disable the encryption. You also should be able to set a passphrase.
Noted as a feature request,

Thanks for the feedback!
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by nielsengelen »

Currently encryption is not possible with the current beta. Just like with Veeam Endpoint Backup FREE it will be possible to send backups to a Veeam Backup & Replication repository where you can enable encryption.

If you are not using VBR then I suggest you look into using guest encryption on your backup target.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
Sebbo
Influencer
Posts: 16
Liked: never
Joined: Aug 11, 2016 12:08 pm
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by Sebbo »

PTide wrote:First of all, why would someone attepmt to restore a .vbk without VAL instead of just taking VAL and restoring the stuff in a normal way?
That's a good question, yes. But anyway: You always should think about such scenarios - also if they may will not happen ever. The backup server could get hacked and if they're interested on such a backup file, they will try to figure out everything, to get clear text data of it.

However... It could happen and due of that, I want to make sure, that it's safe enough. ;)
vmniels wrote:Currently encryption is not possible with the current beta.
Ok, thanks for the information.
vmniels wrote:If you are not using VBR then I suggest you look into using guest encryption on your backup target.
I've written a PHP class, which can encrypt it, but that's no solution. It should be an integrated solution of the backup software.
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by nielsengelen »

As mentioned by Pavel, consider it as a feature request. I am currently only giving other options to use encryption as it's not included yet :-)
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
Sebbo
Influencer
Posts: 16
Liked: never
Joined: Aug 11, 2016 12:08 pm
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by Sebbo »

Yeah, I understood both of you. I've just also only mentioned, that I would have such an alternative to en- and decrypt my backups, but that's no solution. Either it's a feature of the backup software or not. ;) :D
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by nielsengelen »

Which method would you like to see implemented then? AES 256 bit or another method?
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
Patschi
Influencer
Posts: 12
Liked: 3 times
Joined: Jan 17, 2015 7:16 pm
Full Name: Patrik Kernstock
Location: Austria, Lower Austria
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by Patschi »

Just another workaround: You can create an encrypted file-container on the backup target and mount this container somewhere locally on the filesystem, where VAL may save the backups to. As well just a suggestion - didn't tried it.

I fully agree with you, Sebbo, that an implemented backup encryption in VAL would be even greater :) Specially in these days.
Sebbo
Influencer
Posts: 16
Liked: never
Joined: Aug 11, 2016 12:08 pm
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by Sebbo »

I wouldn't set a static method. I rather would have one or more options in the /etc/veeam/veeam.ini config file, where each user can choose his own encryption settings. Maybe something like this?

Code: Select all

[encryption]
# Enable encryption? true or false
encryptionEnabled = true

# Password, used to en- and decrypt backups
encryptionPassphrase = veryS3creTPa5sW0Rd!

# Random string used as Salt for en- and decryption
# Just set a second different strong password or get a random string here: https://www.random.org/strings/?num=1&len=20&digits=on&upperalpha=on&loweralpha=on&unique=on&format=html&rnd=new
encryptionSalt = tXEgpPXJ7hNc67RzT

# Set Cipher to encrypt backups
# Get a list of available ciphers by running the following command: openssl list-cipher-algorithms
encryptionCipher = AES-256-CBC
When I'm back at home, I can send you the logic of my PHP class as idea. There are multiple methods integrated and the user can always choose between them.
Sebbo
Influencer
Posts: 16
Liked: never
Joined: Aug 11, 2016 12:08 pm
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by Sebbo »

Here is it:

Code: Select all

<?php
		/**
		 * Generates an unique passphrase
		 * @param	$length Strength of public passphrase
		 * @param	$passphrase Private passphrase
		 * @param	$salt Unique salt
		 * @param	$version Generate mechanism
		 * @param	$algorithm Hash algorithm
		 * @return	string Public passphrase
		*/
		private function generatePublicPassphrase($length, $passphrase, $salt = '', $version = '1', $algorithm = 'whirlpool') {
			switch($version) {
				case 1:
					$cstrong = false;
					while(!$cstrong) {
						if(empty($salt)) {
							$salt = bin2hex(openssl_random_pseudo_bytes($length, $cstrong));
						} else {
							$cstrong = true;
						}
						$publicPassphrase = "1$" . $salt . "$" . hash($algorithm, $salt . get_current_user() . $passphrase);
					}
					break;
			}

			$salt = "";
			$passphrase = "";

			return $publicPassphrase;
		}
?>
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by nielsengelen » 1 person likes this post

We'll consider it as a FR. Adding a plain password in the config file however isn't something that will happen ;-). Thanks!
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
Sebbo
Influencer
Posts: 16
Liked: never
Joined: Aug 11, 2016 12:08 pm
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by Sebbo »

Even better than providing the password as command line parameter like this:

Code: Select all

veeamconfig job create --encrypt-password 'veryS3creTPa5sW0Rd!' [...]
Sure, if it's possible to ask for the password by executing the job, it should be entered without being saved in the command history.

Code: Select all

history
But please also note, that the cronjobs also should work automatically without the help of an user.

I believe, we can save the password in the config file, but we should encrypt/hash it. We also could save it in the database of Veeam... ;)
PTide
Product Manager
Posts: 6408
Liked: 724 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by PTide »

But please also note, that the cronjobs also should work automatically without the help of an user.
I'm not sure that I'm following you, cronjob always works automatically unless it is disabled. Could you elaborate please?

Thanks
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by nielsengelen »

He means that if we add encryption with a password or something we have to make sure we can still run the veeam job via crontab (without adding the password in plain text in the cronjob).
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
PTide
Product Manager
Posts: 6408
Liked: 724 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by PTide »

Ok, now I see. I think that we could probably store encrypted passwords in the VAL database, need to check with devs.

Thanks
schewee
Influencer
Posts: 14
Liked: never
Joined: May 25, 2017 2:19 am
Full Name: Eric Schewe
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by schewee »

This thread is over a year old at this point.

Was this feature ever added directly to the agent with out requiring a full Veeam Backup & Replication deployment?

I saw encryption was just recently added to the free Windows Agents.
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by nielsengelen »

It is not present in v1 however it is on the roadmap of future requests. Best now would be to either use Linux encryption for storing the backups or use VBR.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
schewee
Influencer
Posts: 14
Liked: never
Joined: May 25, 2017 2:19 am
Full Name: Eric Schewe
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by schewee »

vmniels wrote:It is not present in v1 however it is on the roadmap of future requests. Best now would be to either use Linux encryption for storing the backups or use VBR.
Thanks!
ortoscale
Service Provider
Posts: 246
Liked: 20 times
Joined: Aug 02, 2011 9:30 pm
Full Name: Matjaž Antloga
Location: Celje, Slovenia
Contact:

Re: Veeam Agent for Linux: Backup Encryption

Post by ortoscale » 1 person likes this post

vmniels wrote:Which method would you like to see implemented then? AES 256 bit or another method?
If you just provide same as on VAW :)
Post Reply

Who is online

Users browsing this forum: No registered users and 7 guests