#1 Global Leader in Data Resilience

How to Recover Account Credentials From the Veeam Backup & Replication Database

KB ID: 4349
Product: Veeam Backup & Replication | 11 | 12 | 12.1
Veeam Cloud Connect | 11 | 12
Published: 2022-12-08
Last Modified: 2024-01-03
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Select the tab that matches the deployed version of Veeam Backup & Replication.
 

Security Statement

Since the account credentials provided to Veeam Backup & Replication are used to make connections to other resources in the environment (vCenter, Hyper-V, Linux, Azure, etc.), they must be stored in such a way that allows the software to decrypt the stored credentials and use them to authenticate to those remote resources. To accomplish this, Veeam Backup & Replication encrypts the credentials and keeps them in its configuration database. The credentials are encrypted using Microsoft Data Protection API, utilizing a per-deployment unique encryption salt and the unique MachineKey of the Windows OS where Veeam Backup & Replication is installed, making it so that the encrypted credentials can only be decrypted using the Windows machine where Veeam Backup & Replication is installed.

This storing of account credentials in a state which the software can later decrypt is common among all software that must take actions on behalf of users. When credentials are stored in such a way that software can later utilize those credentials on behalf of the user, they can also be decrypted by any user with access to that machine by using the same decrypt commands the software would use. In that same way, so too can the encrypted credentials stored by Veeam Backup & Replication be decrypted by a user who has access to the configuration database (VeeamBackup), the EncryptionSalt value secured within the registry, and the Windows machine where Veeam Backup & Replication is installed.

For those reasons, it is strongly advised to closely follow all security best practices and limit access to the Veeam Backup Server.

For information about Veeam Backup Server security, review the following:
Veeam Backup & Replication Best Practice Guide - Security Domains

 

Key Points:
  • Recovery of credentials stored in the Veeam Backup & Replication Configuration Database requires all of the following:
    • Access to the Configuration Database to acquire the encrypted account credentials.
    • Access to the registry to acquire the Encryption Salt value.
    • Access to the Veeam Backup Server to execute the native Windows commands to decrypt the account credentials from the database.
  • Credentials provided by users to Veeam Backup & Replication are encrypted and stored in the Configuration Database.
  • Credentials can only be recovered by executing code on the machine where Veeam Backup & Replication is installed.
  • Credentials cannot be recovered with only a copy of the database. The decryption process requires access to the machine that initially encrypted the credentials.
  • The native Windows commands used to recover the encrypted credentials using the encrypted password and encryption salt can be performed by any user with access to the Veeam Backup Server.
  • The ability to recover the account credentials from the Veeam Backup & Replication Configuration Database is not a vulnerability. It is inherent to the nature of any software which must make authentication actions on behalf of a user, such as monitoring software or any other backup software that authenticates with username/password.
Legacy Encryption Method for VBR Upgrades

Starting in a Veeam Backup & Replication 12.1.x a new encryption method is used for all new passwords. However, if a deployment was upgraded from version 12.0.x or older, the existing passwords will remain encrypted in the database using the old encryption method.

  • If the encrypted password value listed in the database begins with the letter 'A', use the decryption method described in the tab above for Veeam Backup & Replication 12.
  • If the encrypted password value listed in the database begins with the letter 'V', use the decryption method described below for the new modern salted encryption method.

Note: Passwords stored using the legacy (unsalted) encryption method from before the upgrade are updated to the new encryption method only when a user updates the password within the Credentials Manager. (Even if the password didn't change, simply retyping it into the password field and saving it will cause the password to be encrypted using the modern salting method.)

Purpose

This article documents how to recover account credentials stored within the Veeam Backup & Replication configuration database.

The procedure detailed in this article can only be used to recover account credentials and not to recover backup encryption passwords.

Solution

It is beyond the scope of Veeam Support to assist with any of the operations outlined in this document. No support will be provided for recovering credentials from the Veeam Configuration Database.

The file and database locations below are based on the default install locations for Veeam Backup & Replication.

Credential Recovery Procedure

  1. Collect the encrypted password value from the Veeam Backup & Replication configuration database using the following query.
    Refer to KB1471 for Veeam Database Location Details.
Microsoft SQL Query:
SELECT user_name,password,description,change_time_utc FROM [dbo].[Credentials]
pw in sql
PostgreSQL Query:
SELECT user_name,password,description,change_time_utc FROM credentials
pw in pgsql
If the encrypted password value starts with the letter 'A', please review the statement at the top of this article about legacy encrypted passwords.
  1. Collect the EncryptionSalt from the Registry of the Veeam Backup Server.

    Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\Data
Encryption Salt
  1. Update the following PowerShell script with the encrypted password value from the database and the encryption salt. Then, execute the script.
# Add encrypted value from the configuration database with single quotes. ('value' not '"value"')
$context = 'encrypted-password-value-from-database'

# Add EncryptionSalt value from registry HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\Data
$saltbase = 'EncryptionSalt'

# Make no changes below this line
Add-Type -AssemblyName System.Security
$salt = [System.Convert]::FromBase64String($saltbase)
$data = [System.Convert]::FromBase64String($context)
$hex = New-Object -TypeName System.Text.StringBuilder -ArgumentList ($data.Length * 2)
foreach ($byte in $data) {$hex.AppendFormat("{0:x2}", $byte) > $null}
$hex = $hex.ToString().Substring(74,$hex.Length-74)
$data = New-Object -TypeName byte[] -ArgumentList ($hex.Length / 2)
for ($i = 0; $i -lt $hex.Length; $i += 2) {$data[$i / 2] = [System.Convert]::ToByte($hex.Substring($i, 2), 16)}
$securedPassword = [System.Convert]::ToBase64String($data)
$data = [System.Convert]::FromBase64String($securedPassword)
$local = [System.Security.Cryptography.DataProtectionScope]::LocalMachine
$raw = [System.Security.Cryptography.ProtectedData]::Unprotect($data, $salt, $local)
[System.Text.Encoding]::UTF8.Getstring($raw)
PW recovery demo - also a joke referencing https://xkcd.com/936/
Attempting this procedure on a machine other than the Veeam Backup Server that encrypted and wrote the value to the database will fail, as shown below.
Note that the same commands as the example above are used.
12.1 Decrypt Fail

More Information

Credentials Manager Cleanup

In some environments, duplicate accounts may be listed within the Credentials Manager. For more information, review: KB3224: How to Clean Up the Credentials Manager in Veeam Backup & Replication.

 

Security Statement

Since the account credentials provided to Veeam Backup & Replication are used to make connections to other resources in the environment (vCenter, Hyper-V, Linux, Azure, etc.), they must be stored in such a way that allows the software to decrypt the stored credentials and use them to authenticate to those remote resources. To accomplish this, Veeam Backup & Replication encrypts the credentials and keeps them in its configuration database. The credentials are encrypted using Microsoft Data Protection API and the unique MachineKey of the Windows OS where Veeam Backup & Replication is installed, making it so that the encrypted credentials can only be decrypted using the Windows machine where Veeam Backup & Replication is installed.

This storing of account credentials in a state which the software can later decrypt is common among all software that must take actions on behalf of users. When credentials are stored in such a way that software can later utilize those credentials on behalf of the user, they can also be decrypted by any user with access to that machine by using the same decrypt commands the software would use. In that same way, so too can the encrypted credentials stored by Veeam Backup & Replication be decrypted by a user who has access to both the configuration database (VeeamBackup) and the Windows server where Veeam Backup & Replication is installed.

For those reasons, it is strongly advised to closely follow all security best practices and limit access to the Veeam Backup Server.

For information about Veeam Backup Server security, review the following:
Veeam Backup & Replication Best Practice Guide - Security Domains

 

Key Points:
  • Recovery of credentials stored in the Veeam Backup & Replication Configuration Database requires both of the following:
    • Access to the Configuration Database to acquire the encrypted account credentials.
    • Access to the Veeam Backup Server to execute the native windows commands to decrypt the account credentials from the database.
  • Credentials provided by users to Veeam Backup & Replication are encrypted and stored in the Configuration Database.
  • Credentials can only be recovered by executing code on the machine where Veeam Backup & Replication is installed.
  • Credentials cannot be recovered with only a copy of the database. The decryption process requires access to the machine that initially encrypted the credentials.
  • The native Windows commands used to recover the encrypted credentials can be performed by any user.
  • The ability to recover the account credentials from the Veeam Backup & Replication Configuration Database is not a vulnerability. It is inherent to the nature of any software which must make authentication actions on behalf of a user, such as monitoring software or any other backup software that authenticates with username/password.

Purpose

This article documents how to recover account credentials stored within the Veeam Backup & Replication configuration database.

The procedure detailed in this article can only be used to recover account credentials and not to recover backup encryption passwords.

Solution

It is beyond the scope of Veeam Support to assist with any of the operations outlined in this document. No support will be provided for recovering credentials from the Veeam Configuration Database.

The file and database locations below are based on the default install locations for Veeam Backup & Replication.

Credential Recovery Procedure

  1. Collect the encrypted password value from the Veeam Backup & Replication configuration database using the following query.
    Refer to KB1471 for Veeam Database Location Details.

Microsoft SQL Query:

SELECT user_name,password,description,change_time_utc FROM [dbo].[Credentials]
PWHash
SQL Server Management Studio
PostgreSQL Query:
SELECT user_name,password,description,change_time_utc FROM credentials
pgAdmin Example
pgAdmin
  1. Update the following PowerShell script using the encrypted password value from the database, and then Execute.
Add-Type -AssemblyName 'system.security'
$context = '<encrypted-password-value-from-database>'
$data = [Convert]::FromBase64String($context)
$raw = [System.Security.Cryptography.ProtectedData]::Unprotect($data, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
[System.Text.Encoding]::UTF8.GetString($raw)
PW Decrypt
Attempting this procedure on a machine other than the Veeam Backup Server that encrypted and wrote the value to the database will fail, as shown below.
Note that the same commands as the example above are used.
PW Decrypt Fail

More Information

Credentials Manager Cleanup

In some environments, duplicate accounts may be listed within the Credentials Manager. For more information, review: KB3224: How to Clean Up the Credentials Manager in Veeam Backup & Replication.

 

Security Statement

Since the account credentials provided to Veeam Backup & Replication are used to make connections to other resources in the environment (vCenter, Hyper-V, Linux, Azure, etc.), they must be stored in such a way that allows the software to decrypt the stored credentials and use them to authenticate to those remote resources. To accomplish this, Veeam Backup & Replication encrypts the credentials and keeps them in its configuration database. The credentials are encrypted using Microsoft Data Protection API and the unique MachineKey of the Windows OS where Veeam Backup & Replication is installed, making it so that the encrypted credentials can only be decrypted using the Windows machine where Veeam Backup & Replication is installed.

This storing of account credentials in a state which the software can later decrypt is common among all software that must take actions on behalf of users. When credentials are stored in such a way that software can later utilize those credentials on behalf of the user, they can also be decrypted by any user with access to that machine by using the same decrypt commands the software would use. In that same way, so too can the encrypted credentials stored by Veeam Backup & Replication be decrypted by a user who has access to both the configuration database (VeeamBackup) and the Windows server where Veeam Backup & Replication is installed.

For those reasons, it is strongly advised to closely follow all security best practices and limit access to the Veeam Backup Server.

For information about Veeam Backup Server security, review the following:
Veeam Backup & Replication Best Practice Guide - Security Domains

 

Key Points:
  • Recovery of credentials stored in the Veeam Backup & Replication Configuration Database requires both of the following:
    • Access to the Configuration Database to acquire the encrypted account credentials.
    • Access to the Veeam Backup Server to execute the native windows commands to decrypt the account credentials from the database.
  • Credentials provided by users to Veeam Backup & Replication are encrypted and stored in the Configuration Database.
  • Credentials can only be recovered by executing code on the machine where Veeam Backup & Replication is installed.
  • Credentials cannot be recovered with only a copy of the database. The decryption process requires access to the machine that initially encrypted the credentials.
  • The native Windows commands used to recover the encrypted credentials can be performed by any user.
  • The ability to recover the account credentials from the Veeam Backup & Replication Configuration Database is not a vulnerability. It is inherent to the nature of any software which must make authentication actions on behalf of a user, such as monitoring software or any other backup software that authenticates with username/password.

Purpose

This article documents how to recover account credentials stored within the Veeam Backup & Replication configuration database.

The procedure detailed in this article can only be used to recover account credentials and not to recover backup encryption passwords.

Solution

It is beyond the scope of Veeam Support to assist with any of the operations outlined in this document. No support will be provided for recovering credentials from the Veeam Configuration Database.

The file and database locations below are based on the default install locations for Veeam Backup & Replication.

Credential Recovery Procedure

  1. Collect the encrypted password value from the Veeam Backup & Replication configuration database using the following query.
    Refer to KB1471 for Veeam Database Location Details.
SELECT user_name,password,description,change_time_utc FROM [dbo].[Credentials]
PWHash
SQL Server Management Studio
  1. Update the following PowerShell script using the encrypted password value from the database, and then Execute.
Add-Type -AssemblyName 'system.security'
$context = '<encrypted-password-value-from-database>'
$data = [Convert]::FromBase64String($context)
$raw = [System.Security.Cryptography.ProtectedData]::Unprotect($data, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
[System.Text.Encoding]::UTF8.GetString($raw)
PW Decrypt
Attempting this procedure on a machine other than the Veeam Backup Server that encrypted and wrote the value to the database will fail, as shown below.
Note that the same commands as the example above are used.
PW Decrypt Fail

More Information

Credentials Manager Cleanup

In some environments, duplicate accounts may be listed within the Credentials Manager. For more information, review: KB3224: How to Clean Up the Credentials Manager in Veeam Backup & Replication.

Advanced Script Example

The script below will automatically identify the location of the VeeamBackup database from the registry values used by Veeam Backup & Replication and output all credentials in plaintext.

Script Requirements
  • This script was written for Veeam Backup & Replication 11a and older.
  • The script must be run on the Veeam Backup Server.
  • The script must be run from an Administrative PowerShell console.
  • The account used to execute the script must have access to the Configuration Database.
    Use the command whoami in the Administrative PowerShell console to verify which account will execute the script.
Support Statement
This script is provided as a courtesy and is not supported by Veeam Technical Support. Use at your own risk.
Veeam Technical Support will not assist in the usage or troubleshooting of this tool.
function Invoke-SQL {
param(
$dataSource,
$sqlQuery = $(throw "Please specify a query."),
$database
)
$connectionString = "Data Source=$dataSource; " + "Integrated Security=SSPI"
if ($database.Length -gt 0) { $connectionString + ";Initial Catalog=$database" }
$connection = new-object system.data.SqlClient.SQLConnection($connectionString)
$command = new-object system.data.sqlclient.sqlcommand($sqlQuery,$connection)
$connection.Open()
$adapter = New-Object System.Data.sqlclient.sqlDataAdapter $command
$dataset = New-Object System.Data.DataSet
$adapter.Fill($dataSet) | Out-Null
$connection.Close()
return $dataset
}
function DecryptString {
param(
[string] $encryptedString
)
[reflection.assembly]::LoadWithPartialName('System.Security') | Out-Null
$unprotectedBytes = [System.Security.Cryptography.ProtectedData]::Unprotect([System.Convert]::FromBase64String($encryptedString), $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
$string = [System.Text.Encoding]::UTF8.GetString($unprotectedBytes)
return $string
}

function QueryCredentials {
param(
[string] $dataSource,
[string] $dbName
)

$query = "SELECT user_name, password, description FROM [dbo].[Credentials]"
$dataSet = Invoke-SQL $dataSource $query $dbName

$results = @()
foreach ($row in $dataSet.Tables[0].Rows) {
$password = "<not set>"
if ($row.password -ne "") {
$password = DecryptString($row.password)
}
$results += [pscustomobject]@{login = $row.user_name; password = $password; description = $row.description}
}

$results | Format-Table
}

$brKey = Get-ItemProperty "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication"

if ($brKey -eq $null) {
$sqlKey = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server"
$installedInstances = $sqlKey.InstalledInstances
foreach($instance in $installedInstances) {
$dataSource = "localhost" + "\" + $instance
$dbName = "sys"
$query = "select [name] as database_name, database_id, create_date from sys.databases order by name"
$dataSet = Invoke-SQL $datasource $query
$databases = @()
foreach($row in $dataSet.Tables[0].Rows) {
if ($row.database_name -like "*veeam*") { $databases += $row.database_name }
}

foreach($dbName in $databases) {
QueryCredentials $dataSource $dbName
}
}
} else {

$serverName = $brKey.SqlServerName
$instanceName = $brKey.SqlInstanceName
$dbName = $brKey.SqlDatabaseName
$dataSource = $serverName + "\" + $instanceName

QueryCredentials $dataSource $dbName

}
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.