Request password on every restore?

[mensa]

Hello,

because of security purposes I am looking for a solution which can make encrypted backups and request the password everytime the backup date would be read/restored.
As far as I understood until now, Veeam is able to encrypt backups, but the used password is saved on the server and as long as you don't change the server or re-import the backups no password is needed to read or restore the backups.
Can that behaviour be changed, so that the password is requested for every restore?

I also did read, that Veeam is in some cases able to restore an encrypted backup without the password. So now I am wondering why I should use that "encryption", when it can be easily ignored and decrypt the data without password

[mensa]

No idea?

[PTide]

Hi,

In fact, it's not that easy to ignore the encryption and restore data without having the password as there are several conditions that have to be met. In other words, it's not like random passerby can decrypt your backups wihtout knowing the password. Have you checked this article already?

Thanks

[mensa]

Hello,

yes, I did read the articles and the requirements to restore without password are not really high secure:

You can restore of data from encrypted backups or tapes without a password only if your backup infrastructure meets the following conditions:

1. You use Enterprise or Enterprise Plus Edition of Veeam Backup & Replication.
2. The backup servers on which you encrypted data is added to Veeam Backup Enterprise Manager.
3. The backup server on which you generate a request for data decryption is added to Veeam Backup Enterprise Manager.

That may be good for some cases, but in my eyes an encryption which can be un-encrypted without the password is useless. So I am looking for another solution.
I did read, that there is one (and the only one?) Windows software, which can do a 1:1 clone of the whole system drive, during Windows is running: http://www.caspersecure.com
It's using a technology called "AccuClone" or so. I don't want to promote that product in any way, cause it's never that perfectly integrated like Veeam is! But I just want to show up, that it is possible and would be a perfect way.

That means, that I could create a 1:1 backup of a VeraCrypt encrypted PC and meets the requirement, that the backup is not readable without the VeraCrypt password and also has the advantage, that after an entire restore of the PC, the encryption is already active. That would really be perfect! Can't you implement that also? Or is it technically not possible?

[PTide]

which can be un-encrypted without the password is useless

Instead of a password, Veeam uses public Enterprise Manager key that was used for data encryption, so it is not really "passwordless". Basically Veeam provides functionality which, under certain conditions, allows you to restore the password. Anyway I got your idea, thanks for sharing.

Can't you implement that also? Or is it technically not possible?

Did I get it right - you want to be able to take a backup of an encrypted VM in such way that:

1. the backup cannot be restored without the encryption software password provided

2. once restored, the system is in its encrypted state.

Is everything correct?

[mensa]

That thing is currently working perfect:
- Backup an existing and with VeraCrypt encrypted VM. It is backe-up fully encrypted and when I restore it, the encryption is still active. So I need immediately after boot after restore the VeraCrypt password. I don't know why this works, but it's perfect.

I just wanted the same behaviour on a physical Windows 10 PC using Veeam Windows Agent. Is that possible?

[PTide]

You request has been noted, thank you. Currently Veeam Agent for Linux supports BitLocker encryption. Does that fit your needs?

Backup an existing and with VeraCrypt encrypted VM

Since you it's a VM I'm curious why not to use VMware VM encryption functionality instead of in-guest encryption?

Thanks

[mensa]

Don't have a KMS for vSphere, so I can't use VMware encryption at the moment.

The only thing which I am missing is:
Backup of a physical PC which does not brake up the encryption. Could you please make this possible?
Like I posted there is already a product since quiete some time, which can make an 1:1 clone from itself during running Windows 10. So in that backup the encryption still exists and also after a restore, the encryption is active again.
That's what I mean. Could you please make this possible?

[PTide]

If there is enough demand from our customers then we'll consider turning this feature request into reality. Also I'd recommend you to post your request on this sub-forum.

Thanks