Feature request - Retrieve private key

[mbeezy]

Hi all, interesting situation we're in..

A few months ago we archived some SharePoint data up to AWS S3 OneZone-IA and encrypted it with a customer provided key (Veeam generated). We then created a lifecycle rule on the S3 bucket to push the data down to Glacier Deep Archive to cut storage cost. Veeam for Microsoft 365 cannot read data in buckets/locations with storage tiers below OneZone-IA. Well, a few days ago, some user decided she needed some Excel doc from the archived data. So we try running an AWS S3 batch operation/restore job to pull up the encrypted data from the depths of Glacier Deep Archive. However, we cannot copy the encrypted data to a new bucket location with proper storage tiering (i.e. OneZone-IA or above) without providing the key used to encrypt the data, so Veeam would be able to read/restore it. There's no way to retrieve the private key from the Veeam 365 GUI and we tried using the commandlet "Get-VBOEncryptionKey" to no avail.

I realize NOT encrypting the data would have avoided this mess but our company policy/compliance requirements dictate that archived data must be encrypted at rest. So, I was wondering if Veeam might be able to develop a way to pull the key from the database it's tied to so customers such as ourselves can provide some relief for users asking for data to be pulled from AWS Glacier archives.

Thanks!

[micoolpaul]

Hi,

First thing you need to do is stop what you’re doing and contact support.

The customer supplied key you mention is the encryption passphrase, do you still have this?

Secondly, deploying these lifecycle policies is completely unsupported so there’s a very real question of data integrity. Hence I recommend you work with support.

Veeam has a backup copy job function that works with “archive tier” object repositories such as AWS Glacier to optimise the files for long term retention, batching them for better cost efficiency for the expected long retention & low usage you’d expect from an archive tier. This is the method you should’ve used, so I’d recommend you explore this as a method of archiving data moving forwards.

I’m going to make some assumptions of what you’ve tried so far. I’m guessing you’ve restored the data to a new storage location and when you’ve tried to add the repository to Veeam it has asked you for the encryption passphrase?

Due to the way VB365 splits and stores data, lifecycle policies won’t necessarily have every object within the deep glacier so you would need all the data from every tier which is why it is critical you work with support to assess what has been done and any best effort guidance to bring the data into a recoverable state. There’s more I would add but I don’t want to speculate and steer you down a wrong path.

Thanks,
Michael

[mbeezy]

Hey Michael, thank you for the reply!

The first thing we did was contact support. Yes, thankfully we do have the encryption passphrase. After determining the key could not be retrieved via GUI or PowerShell, they suggested we post here to open a Feature request.

Yea we learned lifecycle polices are unsupported the hard way, lol.

Thank you for the suggestion of using the backup copy function! We will certainly make note of this and use it for future requirements and make sure NOT to use lifecycle rules.

We tried to copy the "restored" data to a bucket running with supported storage tier (OneZone-IA) however it turns out that AWS S3 Glacier Deep Archive copy batch operation jobs require that the private key be provided if using customer provided keys, hence the feature request to be able to pull the key.

Thanks for the advice/help!

[Mildur]

Hi

Are you sure you’re referring to VB365 encryption passwords, and not encryption configured on Amazon S3 with a customer-managed key?
- Protecting data with server-side encryption

Veeam Backup for Microsoft 365 does not store customer-managed keys from AWS anywhere.

Best,
Fabian

[micoolpaul]

Echoing what @Mildur is saying, if we're not performing the lifecycle management, we wouldn't be doing anything with regards to AWS-level encryption so I don't believe this to be a key that Veeam is providing.