Hi,
On our linux systems the veeam credentials are stored in the veeam_config.xml file: vbrPassword. The value of vbrPassword is encoded in some way. My question is: is this encoding safe? or is it a easy to crack encoding?
My question is because of the ever increasing security requirements.
I couldn't find any info on the vbrpassword encoding on the veeam resources and google.
regards,
Ivab
-
isaez
- Enthusiast
- Posts: 29
- Liked: 4 times
- Joined: Aug 16, 2019 11:36 am
- Full Name: Ivan Saez Scheihing
- Contact:
-
Andreas Neufert
- VP, Product Management
- Posts: 6749
- Liked: 1408 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: rman plugin 12 veeam_config.xml
Hi Ivan,
The VBR connection password is stored encrypted in the veeam_config.xml file. Various hardware numbers are used for the encryption similar to what databases with machine key encryption are using. Basically you can copy the file to another server, but you will not be able to login with it. To be able to use passwords against a system you need to implement local ways to retrieve the password and authenticate then to the remote system for that reason all local encrypted stored passwords can be retrieved with the specific decryption methods (does not matter what backup tool or software/database you use). For that reason it is important that a normal user do not get access to the XML file. It is as well best practices to give any client an own (non admin) account on the VBR server. That way you ensure that only the specific plug-in can read their own data.
There is a second configuration option that you might consider. With v12 we introduced an option to use protection groups to distribute/update the plug-ins and this method uses certificate based authentication against the backup server, which means there is no password in use at all.
The VBR connection password is stored encrypted in the veeam_config.xml file. Various hardware numbers are used for the encryption similar to what databases with machine key encryption are using. Basically you can copy the file to another server, but you will not be able to login with it. To be able to use passwords against a system you need to implement local ways to retrieve the password and authenticate then to the remote system for that reason all local encrypted stored passwords can be retrieved with the specific decryption methods (does not matter what backup tool or software/database you use). For that reason it is important that a normal user do not get access to the XML file. It is as well best practices to give any client an own (non admin) account on the VBR server. That way you ensure that only the specific plug-in can read their own data.
There is a second configuration option that you might consider. With v12 we introduced an option to use protection groups to distribute/update the plug-ins and this method uses certificate based authentication against the backup server, which means there is no password in use at all.
-
isaez
- Enthusiast
- Posts: 29
- Liked: 4 times
- Joined: Aug 16, 2019 11:36 am
- Full Name: Ivan Saez Scheihing
- Contact:
Re: rman plugin 12 veeam_config.xml
Andreas,
Thank you for the explanation. I'll start checking the permissions for the veeam_config.xml on all our servers.
And I'll read more about the certificate based authentication. It seems a good solution.
regards,
Ivan
Thank you for the explanation. I'll start checking the permissions for the veeam_config.xml on all our servers.
And I'll read more about the certificate based authentication. It seems a good solution.
regards,
Ivan
Who is online
Users browsing this forum: Semrush [Bot] and 111 guests