![veeam backup encryption veeam backup encryption](https://img.veeam.com/blog/wp-content/uploads/2019/12/05141859/WFV_FB_Encryption_05_1-1.png)
![veeam backup encryption veeam backup encryption](https://www.virtualhome.blog/wp-content/uploads/2019/11/Veeam_Backup_for_Office365_V4_Overview.png)
This is a demo lab with demo credentials, so no worries about showing this to you. In the screenshot below you can see the results. Sorry, right now you can only see the output below from a example VBR Server
#Veeam backup encryption update#
I know it won’t stop bad actors cold in their tracks and maybe I will update this post later. In the end, I decided not to post the script as it might help people with bad intentions. We loop through the ones that remain and decrypt the passwords. For this purpose, I filter out the passwords that have an empty string. I assembled a little PowerShell script that grabs the data from the Veeam configuration database.
#Veeam backup encryption code#
Sample code to proof that protecting your Veeam Backup & Replication Server is critical You cannot get the passwords via the GUI or the Veeam PowerShell commands. When you store encrypted passwords for a service, that service must be able to decrypt them. Let me emphasize once more that this is not a insecure implementation by Veeam.
#Veeam backup encryption password#
If anyone would get hold of the encrypted password and tries to decrypt them on another host this will fail as that host has the wrong machine-specific key. When this runs on the server where you encrypted them, this will succeed. With that information, all they need to do is load and use a Veeam DLL to decrypt them. They will be able to grant themselves access to SQL Server and query it for the credentials. The moment an attacker logs on to the Veeam Backup & Replication server with administrative rights, it is game over. What you need to know is that when someone gains access to your machine with local administrative rights, all bets are off. This is an industry-standard and quite safe. This means that even if someone steals the configuration database, or in some shape, way or form gets a hold of the encrypted password in the database they cannot be decrypted.
![veeam backup encryption veeam backup encryption](https://cdn.pixabay.com/photo/2015/12/13/15/32/cryptographic-1091257_960_720.jpg)
It ensures decryption of those passwords on another host than the one were encrypting them happened, fails. This is a reminder of why you need to keep your systems patched. They use the Microsoft CryptoAPI (FIPS certified) with the machine-specific encryption key for this.Īs a side note, you might have seen the big fuss around the critical vulnerability in January 2020 regarding CryptoAPI. Veeam encrypts the passwords of these users via strong encryption. Access to servers, proxies, repositories, interaction with virtual machines, etc. Veeam Backup & Replication itself requires credentials to do its work of protecting data and workloads. Add MFA to portect your credentials being abused when compromised Read Veeam Backup & Replication 9.5 Update 3 - Infrastructure Hardening for more details on this. All this, and more, prevents unauthorized access in the first place. Today you also want to leverage multi-factor authentication in order to protect access even better. For this reason, you absolutely must practice privileged credential hygiene. You must avoid the harvesting of those credentials. All this while locking down access, reducing the attack surface, leveraging segmentation, etc.Ī key element lies in prevention. You also need to adhere to the principles of least privilege rigorously. It requires physical security to start with. Security is not about one feature, technology or action. Protecting your Veeam Backup & Replication Server is critical Hence, protecting your Veeam Backup & Replication Server is critical. These are quite literally the keys to the kingdom. Those credentials normally have privileges that you do not want to fall into the wrong hands. When they can logon to the Veeam Backup & Replication Server itself they can also grab all the credentials form the Veeam configuration database. They can do more than “just” delete all your backups, replicas, etc. In this blog, we will demonstrate one of the things that can go wrong when someone gets a hold of your Veeam Backup & Replication server administrative credentials.