Since the account credentials provided to Veeam Backup & Replication are used to make connections to other resources in the environment (vCenter, Hyper-V, Linux, Azure, etc.), they must be stored in such a way that allows the software to decrypt the stored credentials and use them to authenticate to those remote resources. To accomplish this, Veeam Backup & Replication encrypts the credentials and keeps them in its configuration database. The credentials are encrypted using Microsoft Data Protection API and the unique MachineKey of the Windows OS where Veeam Backup & Replication is installed, making it so that the encrypted credentials can only be decrypted using the Windows machine where Veeam Backup & Replication is installed.
This storing of account credentials in a state which the software can later decrypt is common among all software that must take actions on behalf of users. When credentials are stored in such a way that software can later utilize those credentials on behalf of the user, they can also be decrypted by any user with access to that machine by using the same decrypt commands the software would use. In that same way, so too can the encrypted credentials stored by Veeam Backup & Replication be decrypted by a user who has access to both the configuration database (VeeamBackup) and the Windows server where Veeam Backup & Replication is installed.
For those reasons, it is strongly advised to closely follow all security best practices and limit access to the Veeam Backup Server.
For information about Veeam Backup Server security, review the following:
Veeam Backup & Replication Best Practice Guide - Security Domains
- Recovery of credentials stored in the Veeam Backup & Replication Configuration Database requires both of the following:
- Access to the Configuration Database to acquire the encrypted account credentials.
- Access to the Veeam Backup Server to execute the native windows commands to decrypt the account credentials from the database.
- Credentials provided by users to Veeam Backup & Replication are encrypted and stored in the Configuration Database.
- Credentials can only be recovered by executing code on the machine where Veeam Backup & Replication is installed.
- Credentials cannot be recovered with only a copy of the database. The decryption process requires access to the machine that initially encrypted the credentials.
- The native Windows commands used to recover the encrypted credentials can be performed by any user.
- The ability to recover the account credentials from the Veeam Backup & Replication Configuration Database is not a vulnerability. It is inherent to the nature of any software which must make authentication actions on behalf of a user, such as monitoring software or any other backup software that authenticates with username/password.