-
- Novice
- Posts: 7
- Liked: never
- Joined: May 13, 2021 5:22 am
- Full Name: Lubos Dolezal
- Contact:
How to verify LTO password?
Hello,
this question is maybe a bit paranoid, however...
Is there any way to verify, that I really know the password that was used to encrypt the specific tape? If I delete the LTO password from Veeam Password Manager, I can still restore data from encrypted tape without a password prompt, because the SQL table "dbo.CryptoKeys" contains a history of previously used passwords. Unfortunately, I can not perform a (temporary) delete rows in this table, due to constraint conflict in other SQL table.
In hypothetical situation - for example: where another evil administrator changed the LTO password without my knowledge ... I am unable to verify what password was used for a particular tape
In case of damage Veeam Database, we would have a big problem with unreadable LTO cartridges...
LTO password verification functionality would be very useful, I think.
Regards,
L. Dolezal
this question is maybe a bit paranoid, however...
Is there any way to verify, that I really know the password that was used to encrypt the specific tape? If I delete the LTO password from Veeam Password Manager, I can still restore data from encrypted tape without a password prompt, because the SQL table "dbo.CryptoKeys" contains a history of previously used passwords. Unfortunately, I can not perform a (temporary) delete rows in this table, due to constraint conflict in other SQL table.
In hypothetical situation - for example: where another evil administrator changed the LTO password without my knowledge ... I am unable to verify what password was used for a particular tape
In case of damage Veeam Database, we would have a big problem with unreadable LTO cartridges...
LTO password verification functionality would be very useful, I think.
Regards,
L. Dolezal
-
- Product Manager
- Posts: 14840
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: How to verify LTO password?
Hello,
would a "password recovery" functionality also meet your needs? If yes, Enterprise Manager could to that. In your media pool settings you should see a green "Loss protection enabled"
https://helpcenter.veeam.com/docs/backu ... ml?ver=110
Best regards,
Hannes
would a "password recovery" functionality also meet your needs? If yes, Enterprise Manager could to that. In your media pool settings you should see a green "Loss protection enabled"
https://helpcenter.veeam.com/docs/backu ... ml?ver=110
Best regards,
Hannes
-
- Product Manager
- Posts: 14726
- Liked: 1706 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: How to verify LTO password?
Hi shob,
To test the tape password you can: import the tape media to a new Veeam B&R server (say Community Edition) or remove the tape media from the Veeam B&R catalog. Keep in mind that last option would force Veeam B&R to 'forget' the tape content and tape media retention and to restore from such tape you need to catalog it again. Cheers!
To test the tape password you can: import the tape media to a new Veeam B&R server (say Community Edition) or remove the tape media from the Veeam B&R catalog. Keep in mind that last option would force Veeam B&R to 'forget' the tape content and tape media retention and to restore from such tape you need to catalog it again. Cheers!
-
- Novice
- Posts: 7
- Liked: never
- Joined: May 13, 2021 5:22 am
- Full Name: Lubos Dolezal
- Contact:
Re: How to verify LTO password?
Hi,
unfortunately Dima's workaround does not functional. If I remove the tape media from catalog (and also clear all passwords from Password Manager), LTO medium will be catalogized without a password prompt, because catalog operation using SQL table with history of used passwords.
Importing to a new Veeam B&R server is not possible, because we have only one tape library with one LTO drive.
Password recovery functionality is interesting, but it can not do, what I need. Ok, it seems that media password verification is not possible, so I am going to schedule extra offsite copy of Veeam Backup and Recovery database ... that should be enough, I think.
Thanks for the answers and best regards
Lubos
unfortunately Dima's workaround does not functional. If I remove the tape media from catalog (and also clear all passwords from Password Manager), LTO medium will be catalogized without a password prompt, because catalog operation using SQL table with history of used passwords.
Importing to a new Veeam B&R server is not possible, because we have only one tape library with one LTO drive.
Password recovery functionality is interesting, but it can not do, what I need. Ok, it seems that media password verification is not possible, so I am going to schedule extra offsite copy of Veeam Backup and Recovery database ... that should be enough, I think.
Thanks for the answers and best regards
Lubos
-
- Expert
- Posts: 221
- Liked: 48 times
- Joined: Nov 27, 2015 2:26 pm
- Full Name: Konstantin
- Location: Saint Petersburg
- Contact:
Re: How to verify LTO password?
Hi Lubos.
Another possible way, might be a bit easier, is to create a new empty VBR database (you may use DBconfig Utility), add the tape server there and catalog the tape. Since the new DB is empty, there should be no doubts the password is required to read the tape contents.
When you remove an encrypted offline tape from catalog and delete the password from Password Manager (you need to change/remove it on the media pool beforehand) after the next catalog operation for such tape the password must be required. If you can confirm that it works differently in your environment please raise a case and share the case ID with us - we will treat is as an issue and start the investigation process.shob wrote:If I remove the tape media from catalog (and also clear all passwords from Password Manager), LTO medium will be catalogized without a password prompt, because catalog operation using SQL table with history of used passwords.
Another possible way, might be a bit easier, is to create a new empty VBR database (you may use DBconfig Utility), add the tape server there and catalog the tape. Since the new DB is empty, there should be no doubts the password is required to read the tape contents.
-
- Novice
- Posts: 7
- Liked: never
- Joined: May 13, 2021 5:22 am
- Full Name: Lubos Dolezal
- Contact:
Re: How to verify LTO password?
Hi Lyapkost,
a while ago I tried the following:
1) reconfigure tape media pools and delete all passwords from password manager
2) export the medium from tape library
3) remove offline medium from catalog
4) import the tape from I/O slot to "Unrecognized" tape media poll
5) catalog the tape medium
6) done without a password prompt (due to password history in "dbo.CryptoKeys" table, as I mentioned)
7) restore operation from imported tape is fully functional
I think, It's not worth creating a ticket, because it's not a bug - it's obviously program feature.
Regards,
Lubos Dolezal
a while ago I tried the following:
1) reconfigure tape media pools and delete all passwords from password manager
2) export the medium from tape library
3) remove offline medium from catalog
4) import the tape from I/O slot to "Unrecognized" tape media poll
5) catalog the tape medium
6) done without a password prompt (due to password history in "dbo.CryptoKeys" table, as I mentioned)
7) restore operation from imported tape is fully functional
I think, It's not worth creating a ticket, because it's not a bug - it's obviously program feature.
Regards,
Lubos Dolezal
-
- Expert
- Posts: 221
- Liked: 48 times
- Joined: Nov 27, 2015 2:26 pm
- Full Name: Konstantin
- Location: Saint Petersburg
- Contact:
Re: How to verify LTO password?
Lubos, which VBR version are you using? It shouldn't work like you've described, at least in v10 and v11. But without logs and DB backup we're unable to say more.
-
- Novice
- Posts: 7
- Liked: never
- Joined: May 13, 2021 5:22 am
- Full Name: Lubos Dolezal
- Contact:
Re: How to verify LTO password?
Hi Lyapkost,
I sent you a PM with a link to download the logs and db backup from our production environment.
Lubos
I sent you a PM with a link to download the logs and db backup from our production environment.
Lubos
-
- Product Manager
- Posts: 14726
- Liked: 1706 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: How to verify LTO password?
Hello Lubos,
Can you please follow the official procedure and share the troubleshooting information via our support team? Do not forget to post the case ID please.
Can you please follow the official procedure and share the troubleshooting information via our support team? Do not forget to post the case ID please.
-
- VeeaMVP
- Posts: 1007
- Liked: 314 times
- Joined: Jan 31, 2011 11:17 am
- Full Name: Max
- Contact:
Re: How to verify LTO password?
I had experienced the same; when deleting a password I still was able to import encrypted backups without a prompt. Perhaps the password/keys are still cached and deleted later on?
On the topic.
Besides having the fallback option of recovering passwords via Enterprise Manager (which one should always setup) it would still be great to have a way of verifying that the encryption password indeed works.
By the way perhaps the add password dialog could be extended with a "verify password" or "enter password twice" field. At the moment if you make a mistake when entering/copying the password, you wouldn't notice it till you need to re-enter the password.
On the topic.
Besides having the fallback option of recovering passwords via Enterprise Manager (which one should always setup) it would still be great to have a way of verifying that the encryption password indeed works.
By the way perhaps the add password dialog could be extended with a "verify password" or "enter password twice" field. At the moment if you make a mistake when entering/copying the password, you wouldn't notice it till you need to re-enter the password.
Who is online
Users browsing this forum: No registered users and 16 guests