Improving security of backups - case ID# 01236063

[VeaamGuy]

When an encrypted backup is restored there is no prompt for the backup password.
For better security in case a user's Active Directory account does get compromised asking for the encryption password before performing the restore would be a very good security feature.

Can this be a simple implementation in the next product update? Or even better, is there a way to enable it right now by editing a setting or modifying a windows registry key, that would be awesome.

Cheers.

[veremin]

From where the restore was initiated? From the same backup console that created a backup? Was a backup still shown under backups node or it was imported from a different place? Were you using the same account for creating and restoring backup? Thanks.

[VeaamGuy]

Sorry for the late reply.
The restore is initiated from the same backup console using the same account. Having said that I also tried to initiate the restore on the same server in the Veeam console with another user account and still doesn't ask me for for the encryption password.

Backup was showing under the backup node (if by backup node you mean under "Jobs" > "Backup") and it is not an imported backup.

Received the response from Veeam Helpdesk as below so can this please be added for future updates? It would be good for Veeam to prompt for a password for all restores or atleast have it as an option in the configuration for people who need to use it can enable it.

Hello Rushad,

Thanks for your reply.

"As mentioned I am referring to a standard restore and not an import"
What do you mean a standard restore, could you please clarify? There are 3 options to restore the backups:

1. To import it first and then perform the operation.
This option requires the password for encrypted backup when you do importing: http://prntscr.com/8smc95

2. To do the double-click on backup file.
This option opens Veeam console for you and the first thing it asks is a password it has been protected with: http://prntscr.com/9f6qxv

3. Use Powershell cmdlet.

"If a user’s Active Directory account is compromised the hacker can login and have access to a lot more systems via the backups than his account would allow for which is a big risk"
That's true. If the Administrator account has been compromised, and the thief has an access to the console that has all backups already imported, he will be able to restore any of those.

The second factor of authentication could be implemented as a feature request.You might want to submit the one on our official forum: http://forums.veeam.com/

There are no definite road maps for future releases, however our product management team reviews all requests on forum and the most valuable are submitted.

Please let me know if you have any other questions.

[VeaamGuy]

Hi guys,
Any update on this? Has it been taken in to account for future improvements? Thanks.

[Gostev]

Hi, Rushad. No updates yet, as nobody else has requested this feature besides you, as you can see. We prioritize all pending features based on the amount of requests. Thanks!

[ober72]

Hi Folks,

My bad I thought I had read that this is exactly what happens. I am certain that the first time after running an encrypted backup and then trying a restore it asked for a password but now I see that it must cache this password. I would like to see this feature as well.

cheers