Since the account credentials provided to Veeam Backup & Replication are used to make connections to other resources in the environment (vCenter, Hyper-V, Linux, Azure, etc.), they must be stored in such a way that allows the software to decrypt the stored credentials and use them to authenticate to those remote resources. To accomplish this, Veeam Backup & Replication encrypts the credentials and keeps them in its configuration database. The credentials are encrypted using Microsoft Data Protection API and the unique MachineKey of the Windows OS where Veeam Backup & Replication is installed, making it so that the encrypted credentials can only be decrypted using the Windows machine where Veeam Backup & Replication is installed.
This storing of account credentials in a state which the software can later decrypt is shared among all software that must take actions on behalf of users. When credentials are stored in such a way that software can later utilize those credentials on behalf of the user, they can also be decrypted by any user with access to that machine by using the same decrypt commands the software would use. In that same way, so too can the encrypted credentials stored by Veeam Backup & Replication be decrypted by a user who has access to both the configuration database (VeeamBackup) and the Windows server where Veeam Backup & Replication is installed.
For those reasons, it is strongly advised to closely follow all security best practices and limit access to the Veeam Backup Server.
For information about Veeam Backup Server security, review the following:
Veeam Backup & Replication Best Practice Guide - Security Domains
This article documents how to recover account credentials stored within the Veeam Backup & Replication configuration database.
The procedure detailed in this article can only be used to recover account credentials and not to recover backup encryption passwords.
The file and database locations below are based on the default install locations for Veeam Backup & Replication.
Microsoft SQL Query:
In some environments, duplicate accounts may be listed within the Credentials Manager. For more information, review: KB3224: How to Clean Up the Credentials Manager in Veeam Backup & Replication.
The script below will automatically identify the location of the VeeamBackup database from the registry values used by Veeam Backup & Replication and output all credentials in plaintext.
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case