Veeam M365 Encryption password

[HenryA]

Good day all.

I have a question in re: the Veeam M365 password encryption.

As per this document: https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=70

We currently have a backup job going to a Wasabi S3 bucket, and when I enabled Encryption, I had to create an Encryption password as per the link above.

I wrote it down, but I am not sure the password I wrote down is the correct one, as I forgot to put a note on it that it was specifically for the Veeam Encryption. If I click on edit, it is warning me "this password is in use, are you sure you want to edit it?". I don't want to click anything that will disrupt our current backups. I think even if I click Edit, all it will show me is the asterisks, and I won't be able to confirm the password anyway.

Is there a way I can check it?

Also, let's say it's the right password, and I edit it and create a new one. What happens to the current backups? As I understand, the current data can only be restored with the current password.

So I'm unsure what my options are here. Any ideas?

[HenryA]

From looking at the dates I created the password I have, and the date that Veeam M365 says the encryption password was created, I am 90% sure this password is the Encryption Password I used.

But still seems no way to confirm. Some research suggests there's a tool for VB&R called "extract.exe", which would allow me to do a small restore, and test the password manually that way.........except it seems to only work for VB&R, not VM365.

[Polina]

Hi Henry,

First, it's unfortunate if you don't remember the password, because there's no way to check it, and there's a highlighted note about it.

If you guess the right password and then change it, all backups including already existing ones, will then become available via the new password.

[HenryA]

Hi Polina.

Thank you for your reply. If I understand correctly:

1. The password is encrypted locally to the Veeam M365 server (does not need to connect to the S3 Bucket, nor does it save any info to the Bucket. It simply stores the encrypted data once it recognizes the password at the local Veeam M365 server.
2. If I reset it successfully, it will not cause a loss of access to the current data. Instead, the data's encryption will now be accessible with the new password, and normal backup operations will continue.

Is this the case?

I had an idea, let me know what you think about this. Our Veeam M365 is running on a Windows Server 2019 VM in vSphere. I wanted to try this process:

1. Shut down Veeam services.
2. Shut down VM.
3. Make a copy of VM, rename it to something different.
4. Remove all network access (remove the network adapter, etc)
5. Power on this temp VM, log into Windows, then log onto the Veeam M365
6. Attempt to reset the password using the password I believe is the correct one. Since there's no network access it wont' actually change anything, but since the password is stored locally, the account would theoretically reset. If so, I know it's the right password, then:
7. Shut down temp VM, delete it.
8. Power on regular VM, confirm connectivity, and backups are working normally, etc.


In the event that it's not the correct password, am I able to migrate that data out into another repository? Based on research, it seems that there's no easy way to migrate from object storage to object storage, but if it's possible to migrate from object storage, to a local storage temporarily, and then migrate to a new object storage with a new password. Is any of this possible?

[HenryA]

I decided to test my idea in a lab environment, not touching our Production Veeam M365 at all.

1. Completely new Win Server VM 2019
2. Community edition of Veeam M365 Server, with a Wasabi S3 repo setup with Encryption Password.
3. Backing up a Trial M365 Small Business account Exchange.

Tested backing up E-mails = works. Created snapshot. Shut down VM. Removed Network Adapter. Powered on. Confirmed no NIC or any kind of internet access.
Went to Manage Passwords. Input old password misspelled on purpose, then new password. Did not accept it, complained old password incorrect. Input old password, this time correctly. It allowed me to change password. Implication: there's a local cache that recognizes the password.

Reverted to snapshot prior to NIC removal and prior to password change. Tested backup and restore of several E-mails = works under old password, no record of it being changed.

Next test, this time change password WITH internet access. Did it successfully, then tested a few more e-mail backups and restores: I was able to restore e-mails backed up prior to password change, and after password change, hence, password seems to change universally, not tied to date of backup files.

So far, it looks like I can use that method to test if my password for the production system works. If it works with the NIC and internet access removed, I know it's the right one, and I can then revert snapshot and go back to normal operation.

Any thoughts?

[HenryA]

Can someone confirm at least the question "If I have the correct password and input it into the credentials manager, and then change it, if the password change was succesful, then:

A. It was correct
B. Backups and restores will still function as per normal operation: We can restore data from all snapshots as before, and new data will be backed up and restorable, also as per normal operation"

[HenryA]

Ok, tested this on our Prod environment:

Copied our Veeam M365 server, removed NIC, confirmed no network access. Boot VM, logged in, tested changing Encryption Password: It worked.

Soooo.....that means I have successfully confirmed our password is correct, phew!!! But seems like this is an issue since M365 has no way to backup a config, the same way VB&R can. Is this a feature that's coming at some point?

[Mildur]

Hello Henry

Thank you for testing and confirming it.

It allowed me to change password. Implication: there's a local cache that recognizes the password.

The first time you specify your encryption password, we store it in encrypted form on the backup server.
When you try to change your password, you need to provide last used password. We will take the provided password and compare it against the encrypted value in the database. The new password can be saved when the encrypted value matches.

If I have the correct password and input it into the credentials manager, and then change it, if the password change was successful, then: A. It was correct

Yes. You can only change the password to a new value if you have provided the previous password.

B. Backups and restores will still function as per normal operation: We can restore data from all snapshots as before, and new data will be backed up and restorable, also as per normal operation"

Yes. After a password change you can restore from all restore points available in your repository. In case you want to connect your object storage bucket to a new backup server, only the latest encryption password will be required.

We already reached out to our tech writer team and ask them to add more detailed information to our documentation.
It may take some time to update the documentation (after our v8 release). But I can provide an update to this topic as soon as we were able to update it.

But seems like this is an issue since M365 has no way to backup a config, the same way VB&R can. Is this a feature that's coming at some point?

Yes, configuration backup is one of the items on our roadmap.
Unfortunately we don't have an ETA to share, but we know about its importance.

Best,
Fabian