Restoring encrypted configuration database query

[pat_ren]

Hi

I just want to clarify something in the KB:
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

I think it confirms that if my configuration backup is encrypted, it should also include a copy of all of the other encryption keys used to encrypt any other jobs on the server, when I restore this encrypted config backup - these credentials and encryption keys will also be restored along with the config? Therefore, after restoring an encrypted config file, I should not have to manually decrypt any backup data? I'm trying to confirm if config backup encryption key contains it all, or if I would also need to enter the backup job an copy job encryption keys, and potentially and of the older backup job and copy job encryption keys if it's been changed in the last.

I'm updating some of our internal processes and I don't have an environment I can test this in currently, so if anyone can provide some clarification that would be great, thank you.

[david.domask]

Hi pat_ren,

You are correct, with the Configuration Backup being encrypted, you won't have to re-enter all the secrets again upon restore.

This is explained much more clearly in the Configuration Restore section of the User Guide (See the first "Important" note), and the Configuration Restore Wizard will warn if some secrets cannot be decrypted and need to be re-entered.

[pat_ren]

Hi David,

Thanks for the quick reply, one more query if I may, just need to clarify, if the config backup encryption key gets changed - does it still preserve all of the secrets for all of the jobs etc.
For example, we change the config backup key (and do not change any other keys) and a week later need to restore it, we enter only the new config backup encryption key to restore the config, will all other data be preserved in the config backup?
I assume yes but I just want to be clear.

I'm working on some processes for testing our encryption keys to ensure our documentation is always 100% correct and free from any user error. If it's unclear what the config backup encryption key is, then it may be quicker to just update the config backup encryption key an make a new config backup than do a config restore to test the key. I'm not aware of any other ways to test this to make sure the documented keys are correct. Thanks

[david.domask]

You're very welcome pat_ren, and sure more questions always welcomed!

For example, we change the config backup key (and do not change any other keys) and a week later need to restore it, we enter only the new config backup encryption key to restore the config, will all other data be preserved in the config backup?
I assume yes but I just want to be clear.

Correct, ensure you are protecting _at least_ the configuration backup encryption secret somewhere and keeping it up to date.

For your clients, you may also want to look into Password Loss Protection as an additional safety for lost encryption secrets. This requires Veeam Enterprise Manager, and in effect allows for a secure recovery method when you cannot remember or retrieve the secret.

[pat_ren]

Thanks again David, I would like to consider Veeam Enterprise Manager, possibly VeeamONE too, but I am not sure if it can be deployed at a service provider level, managing many individual clients, or if it must be deployed for each client independently. If it's just running on the same server as VBR which is typical for us it may not be much help. I feel this could be tricky with clients all over the country, but it's been a while since I looked at it so may be worth a re-evaluating when time permits. Cheers