suppression of this nagging email notification

[robg]

Hi, is there a way to turn off this email from coming every day? I don't want to encrypt the configuration because I can keep track of my passwords separately. Thanks

Warning Skipping credentials backup because the encryption is disabled. This will complicate the restore process significantly. Enable configuration backup encryption to stop receiving this warning.

[Mildur]

Hello Rob

There is a registration key to disable this warning.
However please note encrypting the configuration backup is considered best practice.

Code: Select all

HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication
Key: ConfigurationBackupSuppressEncryptionWarning
Type: DWORD
Value 1

Best,
Fabian

[robg]

Thanks for this tip. On the topic of config encryption, it says that backups are unrecoverable if the password for this is lost. Don't you guys think this is a little dangerous? Or maybe I'm not understanding this correctly?

For me, there is no need to encrypt, or even backup the configuration at all because the environment is very simple. I can stand up a new OS and install Veeam easily, and then just scan the repository and restore. If the default is to "encourage" people to encrypt it, sure that's secure, but what's more likely.. Losing your backups to a hack, or losing them because you forgot the password?

[Mildur]

One reason to encrypt backups is that if they get stolen, an attacker cannot leverage the content. Backup files contains your entire data in a compressed format. Why downloading the production data from the file server when one could have access to compressed production data via the backup files. Data theft is a danger this days for some companies or organizations.

Don't you guys think this is a little dangerous? Or maybe I'm not understanding this correctly?

It may sound dangerous. But it also protects you against data theft. That's how encryption works. Without the key, you don't get access to the data.
With Veeam Backup & Replication, there is an option to still gain access to the backup files in case you forgot it. Enterprise manager provides a feature named "password loss protection": https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Best,
Fabian

[robg]

Yeah, I get the concept. Secure backups in case they get compromised.. AND it's a good thing that's left off by default, because I would bet that the chances of compromised backups are far less likely than a poor IT admin who wrote the password somewhere and forgot it, then he's up the creek after a hardware disaster.

You may want to check with support and get statistics on that, how many opened a case with their backups compromised vs people who lost their password (who don't have enterprise) and are desperate to get their backups. Not the most scientific, but the results might be interesting.

In my opinion you're creating more problems than preventing them by asking people to turn on credential encryption every day with email notifications.

[Gostev]

Glad you mentioned support statistics! This "nagging notification" feature was added exclusively based on the request from our technical support management, based on all the massive support case load from customers who did not realize their configuration backups do not include credentials.

[robg]

Is there a way to encrypt only the credentials, and not the actual backups? I may be missing something, but I couldn't find it.

This would seem to be the most elegant approach, force the encryption of credentials on by default.

[Gostev]

No, definitely not as it's a single file. Also, not encrypting this part provides a hacker all information about the backup infrastructure thus helping to move laterally in the environment, so I don't consider it a non-sensitive information that is fine to have unencrypted.

[robg]

You may have misunderstood, or I didn't explain it clearly. I'm asking if it's possible to *only* encrypt the credentials, to force that by default, but leave the backups un-encrypted unless the user chooses to turn that on.

This way, the creds are protected with that master password, the hacker can't learn anything without it, and if the admin starts from scratch on a rebuilt Veeam server, he can choose not to import the old configuration backup and still be able to access the repository without a password.

[Gostev]

No, it's not possible as the configuration file is a single file and everything in it is being encrypted. Besides, we don't want leaving some parts of it unencrypted for the reason explained above: giving a hacker full unencrypted documentation to the entire backup infrastructure.

Note that we cannot "force encryption by default" as the user needs to provide the password interactively before we can start encrypting.

[robg]

Ok, I still think there is a disconnect or misunderstanding, I'm not saying "back up PART of the configuration file" - I understand it's one file. I'm talking about the *actual data on the repositories*. Does that also get encrypted?

When you go to the menu > configuration backup, where it says loss prevention disabled, and you hover the mouse, it says "your backups will be unrecoverable if the password is lost"

Is this just badly worded? Cause if it's only backing up the *configuration*, and I choose not to import that in another veeam installation, I can just manually enter the credentials, right? That means the backups aren't unrecoverable if the password is lost. Shouldn't that say "your backup CONFIGURATION upon import will be lost", something like that?

[Gostev]

This says your encrypted configuration backups will be unrecoverable if you lose their encryption password, which makes sense.

This does not talk about "actual data on the repositories". If those backups are encrypted, you will need a password from them too in order to perform a restore. But you don't need anything other than their password.

[robg]

It says "your backups will be unrecoverable" not "your encrypted configuration backups will be unrecoverable" - it's misleading

[Gostev]

This is a shared UI control used in a dozen places, which is why it does not mention the specific backup type. What it says should be read in the context of the dialog where the control is placed, in this case Configuration Backup dialog.

[robg]

Ok, well, it's still misleading I'm giving you my feedback as a user, I appreciate that it's a "shared dialog" and might save some time for the UI team or whoever is responsible. But from the POV as someone exploring the software, it looks like "enable backup file encryption" means their BACKUP FILES are going to be encrypted, not just the configuration files. Especially the popup about "your backups will be unrecoverable"

"enable configuration backup file encryption" makes more sense, because users don't think about this the way you do necessarily in terms of "in the context of where they are"

[Gostev]

"enable configuration backup file encryption" makes more sense

@Egor Yakovlev think we can do that? Customize the encryption checkbox name.

[Egor Yakovlev]

Looks feasible, will check with devs.

[ITP-Stan]

It's the Veeam configuration back-up, it's not your actual data back-up.
If you don't encrypt your configuration back-up, all the passwords stored by Veeam are not included in this configuration back-up.
For example the user/password you use to do application aware processing.
Or the password you use to encrypt off-site back-ups.

[robg]

ITP-Stan, yes, I'm aware of this already. Where this thread ended up is that the text describing this function is a little misleading.

[Egor Yakovlev]

We will alter the label text a little with the following release.
/Cheers!

[urko]

Hello Rob

There is a registration key to disable this warning.
However please note encrypting the configuration backup is considered best practice.

Code: Select all

HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication
Key: ConfigurationBackupSuppressEncryptionWarning
Type: DWORD
Value 1

Best,
Fabian

Hi, We have already set this key but we still receive the warning. Is it right configured? Do we need to do something aditional?
Thanks and blessings

https://drive.google.com/file/d/1NZbggF ... sp=sharing

[Mildur]

Hi Urko

I see you are using V12 or later. The location of the key is correct.
Maybe try a restart of the backup service (or backup server).
Please open a case with our support team if you still get the warning.

Best,
Fabian