Any way to programmatically import SOBR encrypted backups?

[mboswell]

I'm testing a few automated restore scenarios and am puzzled by the seeming difference in behavior between backups in object storage depending upon how they are encrypted.

Example: Backup Job to SOBR with encryption specified in the job definition. Result: Add the object repo to another VBR and mount it and the backups show up as encrypted backups. I can decrypt them like so: Get-VBRImportedEncryptedBackup | Set-VBREncryptedBackupPassword -Password $encryptionpassword

Example 2: Backup Job to SOBR with encryption specified in the SOBR. Result: Add the object repo to another VBR and mount it. No backups show up even when manually scanning the repo. However, I get the "Import Backups" context menu entry available on the repo in the console and can enter a password there.

So, here's my question. I need to do this with either powershell or the REST API and I'm not finding a way yet. The closest I've come is using: Add-VBRScaleOutBackupRepository -Extent $performancerepo -PolicyType "DataLocality" -EnableCapacityTier -ObjectStorageRepository $capacityrepo -EncryptionKey $key. That fails with "There are encrypted backups in the selected object storage repository. Import of them might take a long time. Type in encryption key to decrypt data"

That's exactly what I'm trying to do... But I want to do it programmatically. Is this possible? I don't see any parameter in Add-VBRScaleOutBackupRepository that seems like it's the right one. Import-VBRBackup doesn't like when I feed it an object storage repo.... Any other ideas? Am I missing something obvious?

Thanks,

Matt

[Mildur]

Hi Matt

Please try Mount-VBRObjectStorageRepository:
https://helpcenter.veeam.com/docs/backu ... ml?ver=110

Backup can only be imported once from an object storage. New backups created after the initial import won't be visible.
There is no rescan function. You have to remove the object storage repo after the restore test. Then add it again and you can import the new backups.

Have you also considered to use Instant Recovery from object storage backups with your main VBR server?

Thanks
Fabian

[mboswell]

Thanks... I'm already mounting the repository:

Code: Select all

          $repo = Get-VBRObjectStorageRepository -Name "{{ reponame }}"
          $mount = Mount-VBRObjectStorageRepository -Repository $repo
          $count = 0
          while ($count -lt 100)
          {
            if (Get-VBRBackup | Where-Object { $_.RepositoryId.Guid -eq $mount.Id.Guid })
            {
              break
            }
            $count += 1
            Start-Sleep -Seconds 5
          }
          

With a non-encrypted backup, this works and the loop exits pretty quickly. With a backup encrypted in the job definition, the loop exits only after the count increments to 100 but the encrypted backup is available to decrypt with

Code: Select all

Get-VBRImportedEncryptedBackup | Set-VBREncryptedBackupPassword -Password {{ encryption_password | trim }}

With a backup encrypted by specifying encryption in the SOBR, no backups are imported until I either right-click the repo in the console and choose "Import Backups" or create a new SOBR with the repository as the capacity tier and enter the password when prompted.

[Mildur]

Please don‘t use a SOBR for this test.
Using the same bucket simultaneously in SOBRs on multiple backup servers is not supported and can lead to dataloss. Both backup servers could start writing metadata to the same folders in the bucket.

Mount-VBRObjectStorageRepository has a parameter for the encryption key. With it you can decrypt the backups directly while importing.

Code: Select all

$repository = Get-VBRObjectStorageRepository -Name "Amazon OS"
$key = Get-VBREncryptionKey -Description "Object Storage Key"
Mount-VBRObjectStorageRepository -Repository $repository -EncryptionKey $key

[mboswell]

In my scenario I won't necessarily know what is in the object repo until after I mount it. I have to use a SOBR to create the test backups; I don't know of any other way to back up to object storage. I hear that feature is coming in v 12 but for now SOBR is the only way, correct?

Anyway, my goal on the recovery side is *not* to use a SOBR. I want to mount one or more object repositories, import whatever is in them, decrypt it if necessary, and initiate a restore. I will try specifying the key when I mount the repo.

[Mildur]

I have to use a SOBR to create the test backups;

That‘s ok. Just don‘t connect the same object storage bucket to a second SOBR on a second VBR server.

I hear that feature is coming in v 12 but for now SOBR is the only way, correct?

Yes, correct.

I want to mount one or more object repositories, import whatever is in them, decrypt it if necessary, and initiate a restore. I will try specifying the key when I mount the repo.

Use the example code I provided. It‘s the same example as in our user guide. I provided you the link to the user guide in my first comment.

Thanks
Fabian

[mboswell]

I'm going to test this eventually but out of curiosity what happens when I specify an encryption key when mounting an object storage repo that contains unencrypted backups?

[mboswell]

One more question -- About Get-VBREncryptionKey: I'm creating the key using the API, not powershell. I'm trying to use the API for anything I can and resorting to powershell only as necessary (which is currently quite often). Anyway, the API endpoint, /api/v1/encryptionPasswords takes two parameters, the encryption key and a hint. Is the hint the same as the Description parameter that powershell wants?

[oleg.feoktistov]

Hi Matthew,

what happens when I specify an encryption key when mounting an object storage repo that contains unencrypted backups?

I didn't see any validations for this case in cmdlet backend code, so I checked it in my lab. My assumptions were correct - it just ignores the key passed and proceeds with mounting the object storage.

Is the hint the same as the Description parameter that powershell wants?

Correct.

Best regards,
Oleg