Veeam Agent for Linux: Backup Encryption

Backup agent for Linux servers and workstations on-premises or in the public cloud

Veeam Agent for Linux: Backup Encryption

Veeam Logoby Sebbo » Thu Aug 11, 2016 12:27 pm

Hey,
first of all: Thanks for this beta!

I've a question regarding the encryption of backups, because I couldn't find any information about this.

Does any encryption exist? Is a backup job currently en- and decrypting backups?

I only saw, that the backup files are binaries, but it's maybe still possible to restore it without VAL, if somebody knows, how the file was created.
Code: Select all
# file Daily_File_Backup/Daily_File_Backup_2016-08-11T110100.vbk
Daily_File_Backup/Daily_File_Backup_2016-08-11T110100.vbk: data


It would be great, if there is a possibility to en- or disable the encryption. You also should be able to set a passphrase.
Sebbo
Influencer
 
Posts: 16
Liked: never
Joined: Thu Aug 11, 2016 12:08 pm

Re: Veeam Agent for Linux: Backup Encryption

Veeam Logoby PTide » Thu Aug 11, 2016 12:59 pm 1 person likes this post

Hi and welcome to the community!

Does any encryption exist? Is a backup job currently en- and decrypting backups?
Currently there is no encryption.

I only saw, that the backup files are binaries, but it's maybe still possible to restore it without VAL, if somebody knows, how the file was created.
First of all, why would someone attepmt to restore a .vbk without VAL instead of just taking VAL and restoring the stuff in a normal way? Secondly, although it is possible theoretically, that would be almost the same (or even more difficult) as recreating VAL from scratch with the only difference that you'd have to fit in the predefined backup format instead of inventing your own, which makes it even more diffucult to accomplish.

It would be great, if there is a possibility to en- or disable the encryption. You also should be able to set a passphrase.
Noted as a feature request,

Thanks for the feedback!
PTide
Veeam Software
 
Posts: 3133
Liked: 262 times
Joined: Tue May 19, 2015 1:46 pm

Re: Veeam Agent for Linux: Backup Encryption

Veeam Logoby vmniels » Thu Aug 11, 2016 1:01 pm

Currently encryption is not possible with the current beta. Just like with Veeam Endpoint Backup FREE it will be possible to send backups to a Veeam Backup & Replication repository where you can enable encryption.

If you are not using VBR then I suggest you look into using guest encryption on your backup target.
VCP-DCV
Veeam Certified Architect (VMCA)
http://foonet.be
vmniels
Veeam Software
 
Posts: 1575
Liked: 344 times
Joined: Mon Jul 15, 2013 11:09 am
Full Name: Niels Engelen

Re: Veeam Agent for Linux: Backup Encryption

Veeam Logoby Sebbo » Thu Aug 11, 2016 1:21 pm

PTide wrote:First of all, why would someone attepmt to restore a .vbk without VAL instead of just taking VAL and restoring the stuff in a normal way?

That's a good question, yes. But anyway: You always should think about such scenarios - also if they may will not happen ever. The backup server could get hacked and if they're interested on such a backup file, they will try to figure out everything, to get clear text data of it.

However... It could happen and due of that, I want to make sure, that it's safe enough. ;)

vmniels wrote:Currently encryption is not possible with the current beta.

Ok, thanks for the information.

vmniels wrote:If you are not using VBR then I suggest you look into using guest encryption on your backup target.

I've written a PHP class, which can encrypt it, but that's no solution. It should be an integrated solution of the backup software.
Sebbo
Influencer
 
Posts: 16
Liked: never
Joined: Thu Aug 11, 2016 12:08 pm

Re: Veeam Agent for Linux: Backup Encryption

Veeam Logoby vmniels » Thu Aug 11, 2016 1:27 pm

As mentioned by Pavel, consider it as a feature request. I am currently only giving other options to use encryption as it's not included yet :-)
VCP-DCV
Veeam Certified Architect (VMCA)
http://foonet.be
vmniels
Veeam Software
 
Posts: 1575
Liked: 344 times
Joined: Mon Jul 15, 2013 11:09 am
Full Name: Niels Engelen

Re: Veeam Agent for Linux: Backup Encryption

Veeam Logoby Sebbo » Thu Aug 11, 2016 1:34 pm

Yeah, I understood both of you. I've just also only mentioned, that I would have such an alternative to en- and decrypt my backups, but that's no solution. Either it's a feature of the backup software or not. ;) :D
Sebbo
Influencer
 
Posts: 16
Liked: never
Joined: Thu Aug 11, 2016 12:08 pm

Re: Veeam Agent for Linux: Backup Encryption

Veeam Logoby vmniels » Thu Aug 11, 2016 1:36 pm

Which method would you like to see implemented then? AES 256 bit or another method?
VCP-DCV
Veeam Certified Architect (VMCA)
http://foonet.be
vmniels
Veeam Software
 
Posts: 1575
Liked: 344 times
Joined: Mon Jul 15, 2013 11:09 am
Full Name: Niels Engelen

Re: Veeam Agent for Linux: Backup Encryption

Veeam Logoby Patschi » Thu Aug 11, 2016 1:47 pm

Just another workaround: You can create an encrypted file-container on the backup target and mount this container somewhere locally on the filesystem, where VAL may save the backups to. As well just a suggestion - didn't tried it.

I fully agree with you, Sebbo, that an implemented backup encryption in VAL would be even greater :) Specially in these days.
Patschi
Influencer
 
Posts: 12
Liked: 3 times
Joined: Sat Jan 17, 2015 7:16 pm
Location: Austria, Lower Austria
Full Name: Patrik Kernstock

Re: Veeam Agent for Linux: Backup Encryption

Veeam Logoby Sebbo » Thu Aug 11, 2016 1:55 pm

I wouldn't set a static method. I rather would have one or more options in the /etc/veeam/veeam.ini config file, where each user can choose his own encryption settings. Maybe something like this?
Code: Select all
[encryption]
# Enable encryption? true or false
encryptionEnabled = true

# Password, used to en- and decrypt backups
encryptionPassphrase = veryS3creTPa5sW0Rd!

# Random string used as Salt for en- and decryption
# Just set a second different strong password or get a random string here: https://www.random.org/strings/?num=1&len=20&digits=on&upperalpha=on&loweralpha=on&unique=on&format=html&rnd=new
encryptionSalt = tXEgpPXJ7hNc67RzT

# Set Cipher to encrypt backups
# Get a list of available ciphers by running the following command: openssl list-cipher-algorithms
encryptionCipher = AES-256-CBC

When I'm back at home, I can send you the logic of my PHP class as idea. There are multiple methods integrated and the user can always choose between them.
Sebbo
Influencer
 
Posts: 16
Liked: never
Joined: Thu Aug 11, 2016 12:08 pm

Re: Veeam Agent for Linux: Backup Encryption

Veeam Logoby Sebbo » Thu Aug 11, 2016 6:13 pm

Here is it:
Code: Select all
<?php
      /**
       * Generates an unique passphrase
       * @param   $length Strength of public passphrase
       * @param   $passphrase Private passphrase
       * @param   $salt Unique salt
       * @param   $version Generate mechanism
       * @param   $algorithm Hash algorithm
       * @return   string Public passphrase
      */
      private function generatePublicPassphrase($length, $passphrase, $salt = '', $version = '1', $algorithm = 'whirlpool') {
         switch($version) {
            case 1:
               $cstrong = false;
               while(!$cstrong) {
                  if(empty($salt)) {
                     $salt = bin2hex(openssl_random_pseudo_bytes($length, $cstrong));
                  } else {
                     $cstrong = true;
                  }
                  $publicPassphrase = "1$" . $salt . "$" . hash($algorithm, $salt . get_current_user() . $passphrase);
               }
               break;
         }

         $salt = "";
         $passphrase = "";

         return $publicPassphrase;
      }
?>
Sebbo
Influencer
 
Posts: 16
Liked: never
Joined: Thu Aug 11, 2016 12:08 pm

Re: Veeam Agent for Linux: Backup Encryption

Veeam Logoby vmniels » Fri Aug 12, 2016 6:46 am 1 person likes this post

We'll consider it as a FR. Adding a plain password in the config file however isn't something that will happen ;-). Thanks!
VCP-DCV
Veeam Certified Architect (VMCA)
http://foonet.be
vmniels
Veeam Software
 
Posts: 1575
Liked: 344 times
Joined: Mon Jul 15, 2013 11:09 am
Full Name: Niels Engelen

Re: Veeam Agent for Linux: Backup Encryption

Veeam Logoby Sebbo » Fri Aug 12, 2016 7:25 am

Even better than providing the password as command line parameter like this:
Code: Select all
veeamconfig job create --encrypt-password 'veryS3creTPa5sW0Rd!' [...]

Sure, if it's possible to ask for the password by executing the job, it should be entered without being saved in the command history.
Code: Select all
history

But please also note, that the cronjobs also should work automatically without the help of an user.

I believe, we can save the password in the config file, but we should encrypt/hash it. We also could save it in the database of Veeam... ;)
Sebbo
Influencer
 
Posts: 16
Liked: never
Joined: Thu Aug 11, 2016 12:08 pm

Re: Veeam Agent for Linux: Backup Encryption

Veeam Logoby PTide » Fri Aug 12, 2016 8:08 am

But please also note, that the cronjobs also should work automatically without the help of an user.
I'm not sure that I'm following you, cronjob always works automatically unless it is disabled. Could you elaborate please?

Thanks
PTide
Veeam Software
 
Posts: 3133
Liked: 262 times
Joined: Tue May 19, 2015 1:46 pm

Re: Veeam Agent for Linux: Backup Encryption

Veeam Logoby vmniels » Fri Aug 12, 2016 8:12 am

He means that if we add encryption with a password or something we have to make sure we can still run the veeam job via crontab (without adding the password in plain text in the cronjob).
VCP-DCV
Veeam Certified Architect (VMCA)
http://foonet.be
vmniels
Veeam Software
 
Posts: 1575
Liked: 344 times
Joined: Mon Jul 15, 2013 11:09 am
Full Name: Niels Engelen

Re: Veeam Agent for Linux: Backup Encryption

Veeam Logoby PTide » Fri Aug 12, 2016 8:33 am

Ok, now I see. I think that we could probably store encrypted passwords in the VAL database, need to check with devs.

Thanks
PTide
Veeam Software
 
Posts: 3133
Liked: 262 times
Joined: Tue May 19, 2015 1:46 pm

Next

Return to Veeam Agent for Linux



Who is online

Users browsing this forum: Nano and 9 guests