Is there any way to test password loss protection other than deleting the backup job, deleting the encryption key, deleting the repo, readding the repo, rescanning the repo, and VBR adding for a password?
We just installed VEM (have had VBR installed for years) and see "Password Loss Protection" enabled in the VBR GUI under the backup job, but when we removed the repo and readded it and chose "lost password", we saw "password loss protection is not enabled". A bit confused... So, a related question, do we need to use new encryption keys after VEM is installed?
VBR and VEM installed on the same server.
VUL license (Enterprise Plus).
-
cgsm
- Expert
- Posts: 115
- Liked: 24 times
- Joined: Oct 05, 2021 3:55 pm
- Contact:
-
david.domask
- Product Manager
- Posts: 3406
- Liked: 807 times
- Joined: Jun 28, 2016 12:12 pm
- Contact:
Re: Test Password Loss Protection
Hi cgsm,
>We just installed VEM (have had VBR installed for years)
Check this page to get a better understanding on how the Lost Password Protection works.
In short, it will not retroactively apply to existing backups, only new backups made after installing Enterprise Manager and enabling Lost Password Protection.
For existing backups, you can use Password Verification for encryption passwords currently added.
No need for new encryption keys, the Lost Password Protection is a separate key that EM pushes to Backup Servers added to EM and are independent.
>We just installed VEM (have had VBR installed for years)
Check this page to get a better understanding on how the Lost Password Protection works.
In short, it will not retroactively apply to existing backups, only new backups made after installing Enterprise Manager and enabling Lost Password Protection.
For existing backups, you can use Password Verification for encryption passwords currently added.
No need for new encryption keys, the Lost Password Protection is a separate key that EM pushes to Backup Servers added to EM and are independent.
David Domask | Product Management: Principal Analyst
-
cgsm
- Expert
- Posts: 115
- Liked: 24 times
- Joined: Oct 05, 2021 3:55 pm
- Contact:
Re: Test Password Loss Protection
Hi David,
Thank you. I have read that document about how Password Lost Protection works. I am still confused!
I am a single VBR setup. I have encryption keys created in VBR.
- If I lose VEM and never exported anything from VEM, do I lose the ability to decrypt my backups?
- If I lose my encryption password in VBR, but still have VEM, do I lose the ability to decrypt my backups?
In a use case such as mine, is there really any benefit to VEM? It sounds like I need to export a private key from VEM and store it. I could lose this key just as easily as I could lose the encryption password from VBR. But using VEM, now I need to store both the private key and password.
Thank you. I have read that document about how Password Lost Protection works. I am still confused!
I am a single VBR setup. I have encryption keys created in VBR.
- If I lose VEM and never exported anything from VEM, do I lose the ability to decrypt my backups?
- If I lose my encryption password in VBR, but still have VEM, do I lose the ability to decrypt my backups?
In a use case such as mine, is there really any benefit to VEM? It sounds like I need to export a private key from VEM and store it. I could lose this key just as easily as I could lose the encryption password from VBR. But using VEM, now I need to store both the private key and password.
-
david.domask
- Product Manager
- Posts: 3406
- Liked: 807 times
- Joined: Jun 28, 2016 12:12 pm
- Contact:
Re: Test Password Loss Protection
> - If I lose VEM and never exported anything from VEM, do I lose the ability to decrypt my backups?
VEM & Lost Password protection let you restore from encrypted backups if you have lost the decryption passphrase. If you lose VEM and do not have the VEM keys, you only lose the Lost Password Protection feature.
So if you still have the decryption passphrase you used for encrypting the backup, you will still be able to restore / decrypt the backups. If you lose both the backup encryption passphrase AND VEM + VEM keys, you will not be able to decrypt backups.
> - If I lose my encryption password in VBR, but still have VEM, do I lose the ability to decrypt my backups?
No, with VEM and Lost Password protection enabled and running successfully, you can use the Lost Password protection feature if you lose the encryption passphrase you used to encrypt the backups
> In a use case such as mine, is there really any benefit to VEM? It sounds like I need to export a private key from VEM and store it. I could lose this key just as easily as I could lose the encryption password from VBR. But using VEM, now I need to store both the private key and password.
Not quite -- as noted above, VEM's Lost Password Protection is an additional layer that protects you against lost encryption (decryption) passphrases.
So with:
1. Encrypted Configuration Backups
2. Lost Password Protection
3. Backups of your exported Enterprise Manager Keys
4. (optional) Encryption passwords stored in a secrets client elsewhere
You will have very good protection for your encrypted backups as you'll have many ways to recovery it. Not every option above is required, but instead ensures that you will always be able to decrypt your backups.
VEM & Lost Password protection let you restore from encrypted backups if you have lost the decryption passphrase. If you lose VEM and do not have the VEM keys, you only lose the Lost Password Protection feature.
So if you still have the decryption passphrase you used for encrypting the backup, you will still be able to restore / decrypt the backups. If you lose both the backup encryption passphrase AND VEM + VEM keys, you will not be able to decrypt backups.
> - If I lose my encryption password in VBR, but still have VEM, do I lose the ability to decrypt my backups?
No, with VEM and Lost Password protection enabled and running successfully, you can use the Lost Password protection feature if you lose the encryption passphrase you used to encrypt the backups
> In a use case such as mine, is there really any benefit to VEM? It sounds like I need to export a private key from VEM and store it. I could lose this key just as easily as I could lose the encryption password from VBR. But using VEM, now I need to store both the private key and password.
Not quite -- as noted above, VEM's Lost Password Protection is an additional layer that protects you against lost encryption (decryption) passphrases.
So with:
1. Encrypted Configuration Backups
2. Lost Password Protection
3. Backups of your exported Enterprise Manager Keys
4. (optional) Encryption passwords stored in a secrets client elsewhere
You will have very good protection for your encrypted backups as you'll have many ways to recovery it. Not every option above is required, but instead ensures that you will always be able to decrypt your backups.
David Domask | Product Management: Principal Analyst
Who is online
Users browsing this forum: Google [Bot], Semrush [Bot] and 60 guests