Easiest way to check / test backup encryption cred?

[jcofin13]

IM just curious to know if there is a simple and quick way to test your backup encryption credential?

I have a situation where i have 4 or 5 backup jobs. All the encryption creds are set differently for each job. Id like to test each one to insure that what is documented is acurate and working. The creds were set and documented someone other than myself so i just want the piece of mind to know they work and not to be stuck if we ever had to rebuild and import our backups.

The only way i have ever done this or been prompted to put in the encryption cred for the job is when trying to import backup files for restore.

Is there another way that wouldnt require me having another entire veeam server and then trying to import my main backup files from that to get the prompt to test the cred?

[FrancWest]

Using the extract utility. See here:

post532811.html#p532811

[jcofin13]

The article about the extract utility shows a browse button to select a vbk file....and it shows a windows file path as the example.

https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Will this utility work to browse to files on a linux hardened repo in the same way?

[Mildur]

You have to copy the files from a Hardened Repository to the windows machine running the extract utility.
Or you can do something not recommended. Use our extract utility directly on the "Hardened Repository" machine.

Best,
Fabian

[jcofin13]

Thanks! Ill try to figure out how to copy off the LHR to a windows machine.

Im hoping i can copy just one vm from the Backups-->Disks--><Backup Job Name> section.

[jcofin13]

IF i rotate (change) the encryption password on a backup job, it warns me that encryption is enabled "for the following jobs" and shows the jobs that are tied to the current creds.

If i proceed and update the encryption cred for the job would backup jobs prior to that cred need the old password to be able to be read?

Example

Change the cred today.

Veeam server crashes.......
We rebuild it new and try to import the jobs ...
Would we need the older creds to import the older backups or would the most recent cred be enough to read the entire backup history? Does the cred manager track historical creds to be able to restore older backups in this case?

Is the newest encryption cred all that is needed to get access to the entire backup history and restore from it?

Or would those older backups prior to the cred change show up as (Disk--Encrypted) and need the old cred to be able to read and restore from them?

[mriesenbeck]

You'd need the old encryption password for the older backups

[Mildur]

Hi @jcofin13

It depends on whether you're importing a VBM or VBK file. If you select a VBM file to import, only the most recent encryption password is required. However, if you're importing a VBK file, you'll need to provide all encryption passwords for that backup chain.

Best,
Fabian

[jcofin13]

Thanks. I guess it would be best practice then to keep a running history of previous creds in the event (rare) that you would need to import a vbk from a long time ago? I just want to make sure im doing that correctly so we dont get into a situation where we need to import a vbk and then dont have the the old password to allow for restores.

[gcg]

" I guess it would be best practice then to keep a running history of previous creds in the event (rare) that you would need to import a vbk from a long time ago? "

Yes, but if you have VBEM in place with password loss protection (it's referenced in the article Fabian posted, then VBEM will keep all of that and you can do the restore by requesting the password from VBEM. I've had to do that a few times as we only recently took over management of our customer's Veeam environment and no one remembers what the old keys were, and it works like a champ.

[jcofin13]

hmm...i tried in a test environment to extract a vm from the backup and then try to open it with the Veeam Backup Extraction Utility. It does prompt for the cred. If the cred is wrong it says its incorrect and if it is correct it says "Cannot decrypt keyset with user password"

Am i missing something?

[jcofin13]

Also in lab i just changed my encryption password on the job.

I then exported the job from last week. I was able to use my encryption password i just set today to read the old backup file from last week.

IF this is normal behavior ....and i find that i dont have the proper encryption cred for one of my backups, couldnt i just reset it (and document it) and be all set? If a brand new cred can read old backups i dont see a reason to keep the older versions of the passwords.

Also, in production i do have ent manager and password recovery abilities. WIll this allow me to see my current creditial so i can document it or will it only allow me to restore from it?

All im trying to do is verify my encryption creds all work as they are documented and if they dont, update them and document them.

[mriesenbeck]

In enterprise manager nor the vbr console you can see the stored passwords. And I'm pretty sure not in the database itself either. That would be a security risk in itself. We typically create a recovery key with in the description the date it was created and a password hint and keep a record of all r keys in our password database with the date mentioned when which key started being used. That way you always know which one to use. And if everything fails EM is your best friend.