Since the account credentials provided to Veeam Backup & Replication are used to make connections to other resources in the environment (vCenter, Hyper-V, Linux, Azure, etc.), they must be stored in such a way that allows the software to decrypt the stored credentials and use them to authenticate to those remote resources. To accomplish this, Veeam Backup & Replication encrypts the credentials and keeps them in its configuration database. The credentials are encrypted using Microsoft Data Protection API, utilizing a per-deployment unique encryption salt and the unique MachineKey of the Windows OS where Veeam Backup & Replication is installed, making it so that the encrypted credentials can only be decrypted using the Windows machine where Veeam Backup & Replication is installed.
This storing of account credentials in a state which the software can later decrypt is common among all software that must take actions on behalf of users. When credentials are stored in such a way that software can later utilize those credentials on behalf of the user, they can also be decrypted by any user with access to that machine by using the same decrypt commands the software would use. In that same way, so too can the encrypted credentials stored by Veeam Backup & Replication be decrypted by a user who has access to the configuration database (VeeamBackup), the EncryptionSalt value secured within the registry, and the Windows machine where Veeam Backup & Replication is installed.
For those reasons, it is strongly advised to closely follow all security best practices and limit access to the Veeam Backup Server.
For information about Veeam Backup Server security, review the following:
Veeam Backup & Replication Best Practice Guide - Security Domains
Starting in a Veeam Backup & Replication 12.1.x a new encryption method is used for all new passwords. However, if a deployment was upgraded from version 12.0.x or older, the existing passwords will remain encrypted in the database using the old encryption method.
Note: Passwords stored using the legacy (unsalted) encryption method from before the upgrade are updated to the new encryption method only when a user updates the password within the Credentials Manager. (Even if the password didn't change, simply retyping it into the password field and saving it will cause the password to be encrypted using the modern salting method.)
This article documents how to recover account credentials stored within the Veeam Backup & Replication configuration database.
The procedure detailed in this article can only be used to recover account credentials and not to recover backup encryption passwords.
The file and database locations below are based on the default install locations for Veeam Backup & Replication.
In some environments, duplicate accounts may be listed within the Credentials Manager. For more information, review: KB3224: How to Clean Up the Credentials Manager in Veeam Backup & Replication.
Since the account credentials provided to Veeam Backup & Replication are used to make connections to other resources in the environment (vCenter, Hyper-V, Linux, Azure, etc.), they must be stored in such a way that allows the software to decrypt the stored credentials and use them to authenticate to those remote resources. To accomplish this, Veeam Backup & Replication encrypts the credentials and keeps them in its configuration database. The credentials are encrypted using Microsoft Data Protection API and the unique MachineKey of the Windows OS where Veeam Backup & Replication is installed, making it so that the encrypted credentials can only be decrypted using the Windows machine where Veeam Backup & Replication is installed.
This storing of account credentials in a state which the software can later decrypt is common among all software that must take actions on behalf of users. When credentials are stored in such a way that software can later utilize those credentials on behalf of the user, they can also be decrypted by any user with access to that machine by using the same decrypt commands the software would use. In that same way, so too can the encrypted credentials stored by Veeam Backup & Replication be decrypted by a user who has access to both the configuration database (VeeamBackup) and the Windows server where Veeam Backup & Replication is installed.
For those reasons, it is strongly advised to closely follow all security best practices and limit access to the Veeam Backup Server.
For information about Veeam Backup Server security, review the following:
Veeam Backup & Replication Best Practice Guide - Security Domains
This article documents how to recover account credentials stored within the Veeam Backup & Replication configuration database.
The procedure detailed in this article can only be used to recover account credentials and not to recover backup encryption passwords.
The file and database locations below are based on the default install locations for Veeam Backup & Replication.
Microsoft SQL Query:
In some environments, duplicate accounts may be listed within the Credentials Manager. For more information, review: KB3224: How to Clean Up the Credentials Manager in Veeam Backup & Replication.
Since the account credentials provided to Veeam Backup & Replication are used to make connections to other resources in the environment (vCenter, Hyper-V, Linux, Azure, etc.), they must be stored in such a way that allows the software to decrypt the stored credentials and use them to authenticate to those remote resources. To accomplish this, Veeam Backup & Replication encrypts the credentials and keeps them in its configuration database. The credentials are encrypted using Microsoft Data Protection API and the unique MachineKey of the Windows OS where Veeam Backup & Replication is installed, making it so that the encrypted credentials can only be decrypted using the Windows machine where Veeam Backup & Replication is installed.
This storing of account credentials in a state which the software can later decrypt is common among all software that must take actions on behalf of users. When credentials are stored in such a way that software can later utilize those credentials on behalf of the user, they can also be decrypted by any user with access to that machine by using the same decrypt commands the software would use. In that same way, so too can the encrypted credentials stored by Veeam Backup & Replication be decrypted by a user who has access to both the configuration database (VeeamBackup) and the Windows server where Veeam Backup & Replication is installed.
For those reasons, it is strongly advised to closely follow all security best practices and limit access to the Veeam Backup Server.
For information about Veeam Backup Server security, review the following:
Veeam Backup & Replication Best Practice Guide - Security Domains
This article documents how to recover account credentials stored within the Veeam Backup & Replication configuration database.
The procedure detailed in this article can only be used to recover account credentials and not to recover backup encryption passwords.
The file and database locations below are based on the default install locations for Veeam Backup & Replication.
In some environments, duplicate accounts may be listed within the Credentials Manager. For more information, review: KB3224: How to Clean Up the Credentials Manager in Veeam Backup & Replication.
The script below will automatically identify the location of the VeeamBackup database from the registry values used by Veeam Backup & Replication and output all credentials in plaintext.
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case