How to Recover Credentials From the Veeam Backup & Replication Database

KB ID: 4349
Product: Veeam Backup & Replication
Veeam Cloud Connect
Published: 2022-12-08
Last Modified: 2022-12-09
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

Security Statement

Since the credentials provided to Veeam Backup & Replication are used to make connections to other resources in the environment (vCenter, Hyper-V, Linux, Azure, etc.), they must be stored in such a way that allows the software to decrypt the stored credentials and use them to authenticate to those remote resources. To accomplish this, Veeam Backup & Replication encrypts the credentials and keeps them in its configuration database. The credentials are encrypted using Microsoft Data Protection API and the unique MachineKey of the Windows OS where Veeam Backup & Replication is installed, making it so that the encrypted password can only be decrypted using the Windows machine where Veeam Backup & Replication is installed.

This storing of passwords in a state which the software can later decrypt is shared among all software that must take actions on behalf of users. When credentials are stored in such a way that software can later utilize those credentials on behalf of the user, they can also be decrypted by any user with access to that machine by using the same decrypt commands the software would use. In that same way, so too can the encrypted credentials stored by Veeam Backup & Replication be decrypted by a user who has access to both the configuration database (VeeamBackup) and the Windows server where Veeam Backup & Replication is installed.

For those reasons, it is strongly advised to closely follow all security best practices and limit access to the Veeam Backup Server.

For information about Veeam Backup Server security, review the following:
Veeam Backup & Replication Best Practice Guide - Security Domains

 

Key Points:
  • Recovery of credentials stored in the Veeam Backup & Replication Configuration Database requires both of the following:
    • Access to the Configuration Database to acquire the encrypted password.
    • Access to the Veeam Backup Server to execute the native windows commands to decrypt the password from the database.
  • Credentials provided by users to Veeam Backup & Replication are encrypted and stored in the Configuration Database.
  • Credentials can only be recovered by executing code from the machine where Veeam Backup & Replication is installed.
  • Credentials cannot be recovered with only a copy of the database. The decryption process requires access to the machine that initially encrypted the credentials.
  • The native Windows commands used to recover the encrypted credentials can be performed by any user.
  • The ability to recover the passwords from the Veeam Backup & Replication Configuration Database is not a vulnerability. It is inherent to the nature of any software which must make authentication actions on behalf of a user, such as monitoring software or any other backup software that authenticates with username/password.

Purpose

This article documents how to recover credentials stored within the Veeam Backup & Replication configuration database.

Solution

It is beyond the scope of Veeam Support to assist with any of the operations outlined in this document. No support will be provided for recovering credentials from the Veeam Configuration Database.

The file and database locations below are based on the default install locations for Veeam Backup & Replication.

Credential Recovery Procedure

  1. Collect the encrypted password value from the Veeam Backup & Replication configuration database using the following SQL query.
    Refer to KB1471 for Veeam Database Location Details.
SELECT user_name,password,description,change_time_utc FROM [dbo].[Credentials]
  1. Update the following PowerShell script using the encrypted password value from the database, and then Execute.
Add-Type -AssemblyName 'system.security'
$context = '<encrypted-password-value-from-database>'
$data = [Convert]::FromBase64String($context)
$raw = [System.Security.Cryptography.ProtectedData]::Unprotect($data, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
[System.Text.Encoding]::UTF8.GetString($raw)
PW Decrypt
Attempting this procedure on a machine other than the Veeam Backup Server that encrypted and wrote the value to the database will fail, as shown below.
Note that the same commands as the example above are used.
PW Decrypt Fail

More Information

Credentials Manager Cleanup

In some environments, duplicate accounts may be listed within the Credentials Manager. For more information, review: KB3224: How to Clean Up the Credentials Manager in Veeam Backup & Replication.

Advanced Script Example

The script below will automatically identify the location of the VeeamBackup database from the registry values used by Veeam Backup & Replication and output all credentials in plaintext.

Script Requirements
  • The script must be run on the Veeam Backup Server.
  • The script must be run from an Administrative PowerShell console.
  • The account used to execute the script must have access to the Configuration Database.
    Use the command whoami in the Administrative PowerShell console to verify which account will execute the script.
Support Statement
This script is provided as a courtesy and is not supported by Veeam Technical Support. Use at your own risk.
Veeam Technical Support will not assist in the usage or troubleshooting of this tool.
function Invoke-SQL {
    param(
        $dataSource,
        $sqlQuery = $(throw "Please specify a query."),
        $database
      )
    $connectionString = "Data Source=$dataSource; " + "Integrated Security=SSPI"
    if ($database.Length -gt 0) { $connectionString + ";Initial Catalog=$database" }
    $connection = new-object system.data.SqlClient.SQLConnection($connectionString)
    $command = new-object system.data.sqlclient.sqlcommand($sqlQuery,$connection)
    $connection.Open()
    $adapter = New-Object System.Data.sqlclient.sqlDataAdapter $command
    $dataset = New-Object System.Data.DataSet
    $adapter.Fill($dataSet) | Out-Null
    $connection.Close()
	return $dataset
}
function DecryptString {
    param(
        [string] $encryptedString
    )
    [reflection.assembly]::LoadWithPartialName('System.Security') | Out-Null
    $unprotectedBytes = [System.Security.Cryptography.ProtectedData]::Unprotect([System.Convert]::FromBase64String($encryptedString), $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
    $string = [System.Text.Encoding]::UTF8.GetString($unprotectedBytes)
    return $string
}
function QueryCredentials {
    param(
        [string] $dataSource,
        [string] $dbName
      )
    $query = "SELECT user_name, password, description FROM [VeeamBackup].[dbo].[Credentials]"
    $dataSet = Invoke-SQL $dataSource $query $dbName
    $results = @()
    foreach ($row in $dataSet.Tables[0].Rows) {
        $password = "<not set>"
        if ($row.password -ne "") {
            $password = DecryptString($row.password)
        }
        $results += [pscustomobject]@{login = $row.user_name; password = $password; description = $row.description}
    }
    $results | Format-Table
}
$brKey = Get-ItemProperty "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication"
if ($brKey -eq $null) {
    $sqlKey = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server"
    $installedInstances = $sqlKey.InstalledInstances
    foreach($instance in $installedInstances) {
        $dataSource = "localhost" + "\" + $instance
        $dbName = "sys"
        $query = "select [name] as database_name, database_id, create_date from sys.databases order by name"
        $dataSet = Invoke-SQL $datasource $query
        $databases = @()
        foreach($row in $dataSet.Tables[0].Rows) {
            if ($row.database_name -like "*veeam*") { $databases += $row.database_name }
        }
        foreach($dbName in $databases) {
            QueryCredentials $dataSource $dbName
        }
    }
} else {
    $serverName = $brKey.SqlServerName
    $instanceName = $brKey.SqlInstanceName
    $dbName = $brKey.SqlDatabaseName
    $dataSource = $serverName + "\" + $instanceName
    QueryCredentials $dataSource $dbName
}
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.