How to verify LTO password?

[shob]

Hello,

this question is maybe a bit paranoid, however...

Is there any way to verify, that I really know the password that was used to encrypt the specific tape? If I delete the LTO password from Veeam Password Manager, I can still restore data from encrypted tape without a password prompt, because the SQL table "dbo.CryptoKeys" contains a history of previously used passwords. Unfortunately, I can not perform a (temporary) delete rows in this table, due to constraint conflict in other SQL table.
In hypothetical situation - for example: where another evil administrator changed the LTO password without my knowledge ... I am unable to verify what password was used for a particular tape
In case of damage Veeam Database, we would have a big problem with unreadable LTO cartridges...

LTO password verification functionality would be very useful, I think.

Regards,

L. Dolezal

[HannesK]

Hello,
would a "password recovery" functionality also meet your needs? If yes, Enterprise Manager could to that. In your media pool settings you should see a green "Loss protection enabled"

https://helpcenter.veeam.com/docs/backu ... ml?ver=110



Best regards,
Hannes

[Dima P.]

Hi shob,

To test the tape password you can: import the tape media to a new Veeam B&R server (say Community Edition) or remove the tape media from the Veeam B&R catalog. Keep in mind that last option would force Veeam B&R to 'forget' the tape content and tape media retention and to restore from such tape you need to catalog it again. Cheers!

[shob]

Hi,

unfortunately Dima's workaround does not functional. If I remove the tape media from catalog (and also clear all passwords from Password Manager), LTO medium will be catalogized without a password prompt, because catalog operation using SQL table with history of used passwords.
Importing to a new Veeam B&R server is not possible, because we have only one tape library with one LTO drive.

Password recovery functionality is interesting, but it can not do, what I need. Ok, it seems that media password verification is not possible, so I am going to schedule extra offsite copy of Veeam Backup and Recovery database ... that should be enough, I think.

Thanks for the answers and best regards

Lubos

[lyapkost]

Hi Lubos.

If I remove the tape media from catalog (and also clear all passwords from Password Manager), LTO medium will be catalogized without a password prompt, because catalog operation using SQL table with history of used passwords.

When you remove an encrypted offline tape from catalog and delete the password from Password Manager (you need to change/remove it on the media pool beforehand) after the next catalog operation for such tape the password must be required. If you can confirm that it works differently in your environment please raise a case and share the case ID with us - we will treat is as an issue and start the investigation process.

Another possible way, might be a bit easier, is to create a new empty VBR database (you may use DBconfig Utility), add the tape server there and catalog the tape. Since the new DB is empty, there should be no doubts the password is required to read the tape contents.

[shob]

Hi Lyapkost,

a while ago I tried the following:

1) reconfigure tape media pools and delete all passwords from password manager
2) export the medium from tape library
3) remove offline medium from catalog
4) import the tape from I/O slot to "Unrecognized" tape media poll
5) catalog the tape medium
6) done without a password prompt (due to password history in "dbo.CryptoKeys" table, as I mentioned)
7) restore operation from imported tape is fully functional

I think, It's not worth creating a ticket, because it's not a bug - it's obviously program feature.

Regards,

Lubos Dolezal

[lyapkost]

Lubos, which VBR version are you using? It shouldn't work like you've described, at least in v10 and v11. But without logs and DB backup we're unable to say more.

[shob]

Hi Lyapkost,

I sent you a PM with a link to download the logs and db backup from our production environment.

Lubos

[Dima P.]

Hello Lubos,

Can you please follow the official procedure and share the troubleshooting information via our support team? Do not forget to post the case ID please.

[Regnor]

I had experienced the same; when deleting a password I still was able to import encrypted backups without a prompt. Perhaps the password/keys are still cached and deleted later on?

On the topic.
Besides having the fallback option of recovering passwords via Enterprise Manager (which one should always setup) it would still be great to have a way of verifying that the encryption password indeed works.
By the way perhaps the add password dialog could be extended with a "verify password" or "enter password twice" field. At the moment if you make a mistake when entering/copying the password, you wouldn't notice it till you need to re-enter the password.