Discussions related to exporting backups to tape and backing up directly to tape.
Post Reply
shob
Novice
Posts: 7
Liked: never
Joined: May 13, 2021 5:22 am
Full Name: Lubos Dolezal
Contact:

How to verify LTO password?

Post by shob »

Hello,

this question is maybe a bit paranoid, however...

Is there any way to verify, that I really know the password that was used to encrypt the specific tape? If I delete the LTO password from Veeam Password Manager, I can still restore data from encrypted tape without a password prompt, because the SQL table "dbo.CryptoKeys" contains a history of previously used passwords. Unfortunately, I can not perform a (temporary) delete rows in this table, due to constraint conflict in other SQL table.
In hypothetical situation - for example: where another evil administrator changed the LTO password without my knowledge ... I am unable to verify what password was used for a particular tape :(
In case of damage Veeam Database, we would have a big problem with unreadable LTO cartridges...

LTO password verification functionality would be very useful, I think.

Regards,

L. Dolezal
HannesK
Product Manager
Posts: 14840
Liked: 3086 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: How to verify LTO password?

Post by HannesK »

Hello,
would a "password recovery" functionality also meet your needs? If yes, Enterprise Manager could to that. In your media pool settings you should see a green "Loss protection enabled"

https://helpcenter.veeam.com/docs/backu ... ml?ver=110

Image

Best regards,
Hannes
Dima P.
Product Manager
Posts: 14726
Liked: 1706 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: How to verify LTO password?

Post by Dima P. »

Hi shob,

To test the tape password you can: import the tape media to a new Veeam B&R server (say Community Edition) or remove the tape media from the Veeam B&R catalog. Keep in mind that last option would force Veeam B&R to 'forget' the tape content and tape media retention and to restore from such tape you need to catalog it again. Cheers!
shob
Novice
Posts: 7
Liked: never
Joined: May 13, 2021 5:22 am
Full Name: Lubos Dolezal
Contact:

Re: How to verify LTO password?

Post by shob »

Hi,

unfortunately Dima's workaround does not functional. If I remove the tape media from catalog (and also clear all passwords from Password Manager), LTO medium will be catalogized without a password prompt, because catalog operation using SQL table with history of used passwords.
Importing to a new Veeam B&R server is not possible, because we have only one tape library with one LTO drive.

Password recovery functionality is interesting, but it can not do, what I need. Ok, it seems that media password verification is not possible, so I am going to schedule extra offsite copy of Veeam Backup and Recovery database ... that should be enough, I think.

Thanks for the answers and best regards

Lubos
lyapkost
Expert
Posts: 221
Liked: 48 times
Joined: Nov 27, 2015 2:26 pm
Full Name: Konstantin
Location: Saint Petersburg
Contact:

Re: How to verify LTO password?

Post by lyapkost »

Hi Lubos.
shob wrote:If I remove the tape media from catalog (and also clear all passwords from Password Manager), LTO medium will be catalogized without a password prompt, because catalog operation using SQL table with history of used passwords.
When you remove an encrypted offline tape from catalog and delete the password from Password Manager (you need to change/remove it on the media pool beforehand) after the next catalog operation for such tape the password must be required. If you can confirm that it works differently in your environment please raise a case and share the case ID with us - we will treat is as an issue and start the investigation process.

Another possible way, might be a bit easier, is to create a new empty VBR database (you may use DBconfig Utility), add the tape server there and catalog the tape. Since the new DB is empty, there should be no doubts the password is required to read the tape contents.
shob
Novice
Posts: 7
Liked: never
Joined: May 13, 2021 5:22 am
Full Name: Lubos Dolezal
Contact:

Re: How to verify LTO password?

Post by shob »

Hi Lyapkost,

a while ago I tried the following:

1) reconfigure tape media pools and delete all passwords from password manager
2) export the medium from tape library
3) remove offline medium from catalog
4) import the tape from I/O slot to "Unrecognized" tape media poll
5) catalog the tape medium
6) done without a password prompt (due to password history in "dbo.CryptoKeys" table, as I mentioned)
7) restore operation from imported tape is fully functional

I think, It's not worth creating a ticket, because it's not a bug - it's obviously program feature.

Regards,

Lubos Dolezal
lyapkost
Expert
Posts: 221
Liked: 48 times
Joined: Nov 27, 2015 2:26 pm
Full Name: Konstantin
Location: Saint Petersburg
Contact:

Re: How to verify LTO password?

Post by lyapkost »

Lubos, which VBR version are you using? It shouldn't work like you've described, at least in v10 and v11. But without logs and DB backup we're unable to say more.
shob
Novice
Posts: 7
Liked: never
Joined: May 13, 2021 5:22 am
Full Name: Lubos Dolezal
Contact:

Re: How to verify LTO password?

Post by shob »

Hi Lyapkost,

I sent you a PM with a link to download the logs and db backup from our production environment.

Lubos
Dima P.
Product Manager
Posts: 14726
Liked: 1706 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: How to verify LTO password?

Post by Dima P. »

Hello Lubos,

Can you please follow the official procedure and share the troubleshooting information via our support team? Do not forget to post the case ID please.
Regnor
VeeaMVP
Posts: 1007
Liked: 314 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: How to verify LTO password?

Post by Regnor »

I had experienced the same; when deleting a password I still was able to import encrypted backups without a prompt. Perhaps the password/keys are still cached and deleted later on?

On the topic.
Besides having the fallback option of recovering passwords via Enterprise Manager (which one should always setup) it would still be great to have a way of verifying that the encryption password indeed works.
By the way perhaps the add password dialog could be extended with a "verify password" or "enter password twice" field. At the moment if you make a mistake when entering/copying the password, you wouldn't notice it till you need to re-enter the password.
Post Reply

Who is online

Users browsing this forum: No registered users and 16 guests