Solved

Backup encryption key testing

  • 30 August 2021
  • 9 comments
  • 3628 views

Userlevel 7
Badge +3

Is there a way to test the encryption key on backups without having to run a restore? I ran into a situation recently where the encryption password did not work on restored data. I want to setup Enterprise Manager for everyone, but in the interim, I’d like to manually test each encryption key and reset it/run a new full backup if need be.

 

Is there a way to recover an encryption key with Service Provider Console?

icon

Best answer by Mildur 30 August 2021, 16:15

View original

9 comments

Userlevel 7
Badge +12

We are testing it with the Configuration Restore Wizard.

In the Restore Wizard, there is a step to put in the password. If it works, the configuration backup was correctly decrypted. I assume it will work with the backup files too.

 

If you need to test it, install vbr on a second server and import the restore points.

VSPC cannot decrypt the passwords.

 

 

PS:

Or you can use the extract utility. It will ask for the password too.

Extract Utility - User Guide for VMware vSphere (veeam.com)

 

extract.exe -dir [-vm vmname] [-host hostname] [-password backupkey] pathtobackup

Displaying List of Machines in Backup - User Guide for VMware vSphere (veeam.com)

Userlevel 7
Badge +3

We are testing it with the Configuration Restore Wizard.

In the Restore Wizard, there is a step to put in the password. If it works, the configuration backup was correctly decrypted. I assume it will work with the backup files too.

 

If you need to test it, install vbr on a second server and import the restore points.

VSPC cannot decrypt the passwords.

 

 

PS:

Or you can use the extract utility. It will ask for the password too.

Extract Utility - User Guide for VMware vSphere (veeam.com)

 

extract.exe -dir [-vm vmname] [-host hostname] [-password backupkey] pathtobackup

Displaying List of Machines in Backup - User Guide for VMware vSphere (veeam.com)

Thank you!!!!

Userlevel 7
Badge +12

Happy to help :)

Userlevel 7
Badge +13

Let me hijack this question 😉

Does anyone have any idea how to easily test encryption passwords for backups stored in object storage? So without having to setup a fresh VBR installation and import the backups there?

 

Userlevel 7
Badge +3

Let me hijack this question 😉

Does anyone have any idea how to easily test encryption passwords for backups stored in object storage? So without having to setup a fresh VBR installation and import the backups there?

 

This same solution I used might do the trick. Run the extract utility and enter the encryption password when it asks for it. That will tell you for sure if the password is working or not.

Userlevel 7
Badge +12

You cannot run the extract utility against an object storage bucket :)

VBR is required to read the objects and make any sense of it.

Userlevel 7
Badge +13

Exactly thats the problem. If we could mount a S3/blob with the extract utility, it would be easy 😅

Userlevel 7
Badge +7

crazy idea here, what about sure backup?

in V12, as we will be allowed to run a backup directly to S3, would be possible to spin a SureBackup also from an S3 location?

and to read that machine, it will need to decrypt the backup to spin up the VM.

right? or am I in Friday mode and I need a beer? 

🤣

cheers-

Userlevel 7
Badge +13

The problem is that you won't notice if anyone has maliciously changed the encryption password. As long as it present in the VBR configuration you will be able use the backups. But as soon as they keys get deleted, you can't decrypt your backups anymore.

Comment