Veeam Support Knowledge Base
How to Recover Account Credentials From the Veeam Backup & Replication Database

How to Recover Account Credentials From the Veeam Backup & Replication Database

KB ID:	4349
Product:	Veeam Backup & Replication \| 11 \| 12 Veeam Cloud Connect \| 11 \| 12
Published:	2022-12-08
Last Modified:	2023-11-10

By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

Oops! Something went wrong.

Please try again later.

Use the tabs below to select the version of Veeam Backup & Replication for which you want to see documentation.

Security Statement

Since the account credentials provided to Veeam Backup & Replication are used to make connections to other resources in the environment (vCenter, Hyper-V, Linux, Azure, etc.), they must be stored in such a way that allows the software to decrypt the stored credentials and use them to authenticate to those remote resources. To accomplish this, Veeam Backup & Replication encrypts the credentials and keeps them in its configuration database. The credentials are encrypted using Microsoft Data Protection API and the unique MachineKey of the Windows OS where Veeam Backup & Replication is installed, making it so that the encrypted credentials can only be decrypted using the Windows machine where Veeam Backup & Replication is installed.

This storing of account credentials in a state which the software can later decrypt is common among all software that must take actions on behalf of users. When credentials are stored in such a way that software can later utilize those credentials on behalf of the user, they can also be decrypted by any user with access to that machine by using the same decrypt commands the software would use. In that same way, so too can the encrypted credentials stored by Veeam Backup & Replication be decrypted by a user who has access to both the configuration database (VeeamBackup) and the Windows server where Veeam Backup & Replication is installed.

For those reasons, it is strongly advised to closely follow all security best practices and limit access to the Veeam Backup Server.

For information about Veeam Backup Server security, review the following:
Veeam Backup & Replication Best Practice Guide - Security Domains

Key Points:

Recovery of credentials stored in the Veeam Backup & Replication Configuration Database requires both of the following:
- Access to the Configuration Database to acquire the encrypted account credentials.
- Access to the Veeam Backup Server to execute the native windows commands to decrypt the account credentials from the database.
Credentials provided by users to Veeam Backup & Replication are encrypted and stored in the Configuration Database.
Credentials can only be recovered by executing code on the machine where Veeam Backup & Replication is installed.
Credentials cannot be recovered with only a copy of the database. The decryption process requires access to the machine that initially encrypted the credentials.
The native Windows commands used to recover the encrypted credentials can be performed by any user.
The ability to recover the account credentials from the Veeam Backup & Replication Configuration Database is not a vulnerability. It is inherent to the nature of any software which must make authentication actions on behalf of a user, such as monitoring software or any other backup software that authenticates with username/password.

Purpose

This article documents how to recover account credentials stored within the Veeam Backup & Replication configuration database.

The procedure detailed in this article can only be used to recover account credentials and not to recover backup encryption passwords.

Solution

It is beyond the scope of Veeam Support to assist with any of the operations outlined in this document. No support will be provided for recovering credentials from the Veeam Configuration Database.

The file and database locations below are based on the default install locations for Veeam Backup & Replication.

Credential Recovery Procedure

Collect the encrypted password value from the Veeam Backup & Replication configuration database using the following query.
Refer to KB1471 for Veeam Database Location Details.

Microsoft SQL Query:

SELECT user_name,password,description,change_time_utc FROM [dbo].[Credentials]
                
            

SQL Server Management Studio

PostgreSQL Query:

SELECT user_name,password,description,change_time_utc FROM credentials
                
            

pgAdmin

Update the following PowerShell script using the encrypted password value from the database, and then Execute.

Add-Type -AssemblyName 'system.security'
$context = '<encrypted-password-value-from-database>'
$data = [Convert]::FromBase64String($context)
$raw = [System.Security.Cryptography.ProtectedData]::Unprotect($data, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
[System.Text.Encoding]::UTF8.GetString($raw)
                
            

Attempting this procedure on a machine other than the Veeam Backup Server that encrypted and wrote the value to the database will fail, as shown below.
Note that the same commands as the example above are used.

More Information

Credentials Manager Cleanup

In some environments, duplicate accounts may be listed within the Credentials Manager. For more information, review: KB3224: How to Clean Up the Credentials Manager in Veeam Backup & Replication.

Security Statement

For those reasons, it is strongly advised to closely follow all security best practices and limit access to the Veeam Backup Server.

For information about Veeam Backup Server security, review the following:
Veeam Backup & Replication Best Practice Guide - Security Domains

Key Points:

Recovery of credentials stored in the Veeam Backup & Replication Configuration Database requires both of the following:
- Access to the Configuration Database to acquire the encrypted account credentials.
- Access to the Veeam Backup Server to execute the native windows commands to decrypt the account credentials from the database.
Credentials provided by users to Veeam Backup & Replication are encrypted and stored in the Configuration Database.
Credentials can only be recovered by executing code on the machine where Veeam Backup & Replication is installed.
Credentials cannot be recovered with only a copy of the database. The decryption process requires access to the machine that initially encrypted the credentials.
The native Windows commands used to recover the encrypted credentials can be performed by any user.
The ability to recover the account credentials from the Veeam Backup & Replication Configuration Database is not a vulnerability. It is inherent to the nature of any software which must make authentication actions on behalf of a user, such as monitoring software or any other backup software that authenticates with username/password.

Purpose

This article documents how to recover account credentials stored within the Veeam Backup & Replication configuration database.

The procedure detailed in this article can only be used to recover account credentials and not to recover backup encryption passwords.

Solution

It is beyond the scope of Veeam Support to assist with any of the operations outlined in this document. No support will be provided for recovering credentials from the Veeam Configuration Database.

The file and database locations below are based on the default install locations for Veeam Backup & Replication.

Credential Recovery Procedure

Collect the encrypted password value from the Veeam Backup & Replication configuration database using the following query.
Refer to KB1471 for Veeam Database Location Details.

SELECT user_name,password,description,change_time_utc FROM [dbo].[Credentials]
                
            

SQL Server Management Studio

Update the following PowerShell script using the encrypted password value from the database, and then Execute.

Add-Type -AssemblyName 'system.security'
$context = '<encrypted-password-value-from-database>'
$data = [Convert]::FromBase64String($context)
$raw = [System.Security.Cryptography.ProtectedData]::Unprotect($data, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
[System.Text.Encoding]::UTF8.GetString($raw)
                
            

More Information

Credentials Manager Cleanup

In some environments, duplicate accounts may be listed within the Credentials Manager. For more information, review: KB3224: How to Clean Up the Credentials Manager in Veeam Backup & Replication.

Advanced Script Example

The script below will automatically identify the location of the VeeamBackup database from the registry values used by Veeam Backup & Replication and output all credentials in plaintext.

Script Requirements

This script was written for Veeam Backup & Replication 11a and older.
The script must be run on the Veeam Backup Server.
The script must be run from an Administrative PowerShell console.
The account used to execute the script must have access to the Configuration Database.
^{Use the command whoami in the Administrative PowerShell console to verify which account will execute the script.}

Support Statement

This script is provided as a courtesy and is not supported by Veeam Technical Support. Use at your own risk.
Veeam Technical Support will not assist in the usage or troubleshooting of this tool.

function Invoke-SQL {
    param(
        $dataSource,
        $sqlQuery = $(throw "Please specify a query."),
        $database
      )
    $connectionString = "Data Source=$dataSource; " + "Integrated Security=SSPI"   
    if ($database.Length -gt 0) { $connectionString + ";Initial Catalog=$database" }
    $connection = new-object system.data.SqlClient.SQLConnection($connectionString)
    $command = new-object system.data.sqlclient.sqlcommand($sqlQuery,$connection)
    $connection.Open()
    $adapter = New-Object System.Data.sqlclient.sqlDataAdapter $command
    $dataset = New-Object System.Data.DataSet
    $adapter.Fill($dataSet) | Out-Null
    $connection.Close()
	return $dataset
}
function DecryptString {
    param(
        [string] $encryptedString
    )  
    [reflection.assembly]::LoadWithPartialName('System.Security') | Out-Null
    $unprotectedBytes = [System.Security.Cryptography.ProtectedData]::Unprotect([System.Convert]::FromBase64String($encryptedString), $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
    $string = [System.Text.Encoding]::UTF8.GetString($unprotectedBytes)
    return $string
}

function QueryCredentials {
    param(
        [string] $dataSource,
        [string] $dbName
      )
    
    $query = "SELECT user_name, password, description FROM [dbo].[Credentials]"
    $dataSet = Invoke-SQL $dataSource $query $dbName

    $results = @()
    foreach ($row in $dataSet.Tables[0].Rows) {
        $password = "<not set>"
        if ($row.password -ne "") {
            $password = DecryptString($row.password)
        }
        $results += [pscustomobject]@{login = $row.user_name; password = $password; description = $row.description}
    }

    $results | Format-Table
}

$brKey = Get-ItemProperty "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication"

if ($brKey -eq $null) {
    $sqlKey = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server"
    $installedInstances = $sqlKey.InstalledInstances
    foreach($instance in $installedInstances) {
        $dataSource = "localhost" + "\" + $instance
        $dbName = "sys"
        $query = "select [name] as database_name, database_id, create_date from sys.databases order by name"
        $dataSet = Invoke-SQL $datasource $query
        $databases = @()
        foreach($row in $dataSet.Tables[0].Rows) {
            if ($row.database_name -like "*veeam*") { $databases += $row.database_name }
        }

        foreach($dbName in $databases) {
            QueryCredentials $dataSource $dbName
        }
    }
} else {

    $serverName = $brKey.SqlServerName
    $instanceName = $brKey.SqlInstanceName
    $dbName = $brKey.SqlDatabaseName
    $dataSource = $serverName + "\" + $instanceName

    QueryCredentials $dataSource $dbName

}
                
            

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

Product

Topic

Description

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Verify your email to continue your product download

We've sent a verification code to:

An email with a verification code was just sent to

Didn't receive the code? Click to resend in sec

Didn't receive the code? Click to resend

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.