How to Recover Account Credentials From the Veeam Backup & Replication Database

KB ID:	4349
Product:	Veeam Backup & Replication \| 11 \| 12 Veeam Cloud Connect \| 11 \| 12
Published:	2022-12-08
Last Modified:	2023-12-05

Use the tabs below to select the version of Veeam Backup & Replication for which you want to see documentation.

Security Statement

Since the account credentials provided to Veeam Backup & Replication are used to make connections to other resources in the environment (vCenter, Hyper-V, Linux, Azure, etc.), they must be stored in such a way that allows the software to decrypt the stored credentials and use them to authenticate to those remote resources. To accomplish this, Veeam Backup & Replication encrypts the credentials and keeps them in its configuration database. The credentials are encrypted using Microsoft Data Protection API, utilizing a per-deployment unique encryption salt and the unique MachineKey of the Windows OS where Veeam Backup & Replication is installed, making it so that the encrypted credentials can only be decrypted using the Windows machine where Veeam Backup & Replication is installed.

This storing of account credentials in a state which the software can later decrypt is common among all software that must take actions on behalf of users. When credentials are stored in such a way that software can later utilize those credentials on behalf of the user, they can also be decrypted by any user with access to that machine by using the same decrypt commands the software would use. In that same way, so too can the encrypted credentials stored by Veeam Backup & Replication be decrypted by a user who has access to the configuration database (VeeamBackup), the EncryptionSalt value secured within the registry, and the Windows machine where Veeam Backup & Replication is installed.

For those reasons, it is strongly advised to closely follow all security best practices and limit access to the Veeam Backup Server.

For information about Veeam Backup Server security, review the following:
Veeam Backup & Replication Best Practice Guide - Security Domains

Key Points:

Recovery of credentials stored in the Veeam Backup & Replication Configuration Database requires all of the following:
- Access to the Configuration Database to acquire the encrypted account credentials.
- Access to the registry to acquire the Encryption Salt value.
- Access to the Veeam Backup Server to execute the native Windows commands to decrypt the account credentials from the database.
Credentials provided by users to Veeam Backup & Replication are encrypted and stored in the Configuration Database.
Credentials can only be recovered by executing code on the machine where Veeam Backup & Replication is installed.
Credentials cannot be recovered with only a copy of the database. The decryption process requires access to the machine that initially encrypted the credentials.
The native Windows commands used to recover the encrypted credentials using the encrypted password and encryption salt can be performed by any user with access to the Veeam Backup Server.
The ability to recover the account credentials from the Veeam Backup & Replication Configuration Database is not a vulnerability. It is inherent to the nature of any software which must make authentication actions on behalf of a user, such as monitoring software or any other backup software that authenticates with username/password.

Purpose

This article documents how to recover account credentials stored within the Veeam Backup & Replication configuration database.

The procedure detailed in this article can only be used to recover account credentials and not to recover backup encryption passwords.

Solution

It is beyond the scope of Veeam Support to assist with any of the operations outlined in this document. No support will be provided for recovering credentials from the Veeam Configuration Database.

The file and database locations below are based on the default install locations for Veeam Backup & Replication.

Credential Recovery Procedure

Collect the encrypted password value from the Veeam Backup & Replication configuration database using the following query.
Refer to KB1471 for Veeam Database Location Details.

Microsoft SQL Query:

SELECT user_name,password,description,change_time_utc FROM [dbo].[Credentials]
                           

PostgreSQL Query:

SELECT user_name,password,description,change_time_utc FROM credentials
                           

Collect the EncrpytionSalt from the Registry of the Veeam Backup Server.

Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\Data

Update the following PowerShell script with the encrypted password value from the database and the encryption salt. Then, execute the script.

# Add encrypted value from the configuration database with single quotes. ('value' not '"value"')
$context = 'encrypted-password-value-from-database'

# Add EncryptionSalt value from registry HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\Data
$saltbase = 'EncryptionSalt'

# Make no changes below this line
Add-Type -AssemblyName System.Security 
$salt = [System.Convert]::FromBase64String($saltbase)
$data = [System.Convert]::FromBase64String($context)
$hex = New-Object -TypeName System.Text.StringBuilder -ArgumentList ($data.Length * 2)
foreach ($byte in $data) {$hex.AppendFormat("{0:x2}", $byte) > $null}
$hex = $hex.ToString().Substring(74,$hex.Length-74)
$data = New-Object -TypeName byte[] -ArgumentList ($hex.Length / 2)
for ($i = 0; $i -lt $hex.Length; $i += 2) {$data[$i / 2] = [System.Convert]::ToByte($hex.Substring($i, 2), 16)}
$securedPassword = [System.Convert]::ToBase64String($data)
$data = [System.Convert]::FromBase64String($securedPassword)
$local = [System.Security.Cryptography.DataProtectionScope]::LocalMachine
$raw = [System.Security.Cryptography.ProtectedData]::Unprotect($data, $salt, $local) 
[System.Text.Encoding]::UTF8.Getstring($raw)
                           

PW recovery demo - also a joke referencing https://xkcd.com/936/

Attempting this procedure on a machine other than the Veeam Backup Server that encrypted and wrote the value to the database will fail, as shown below.
Note that the same commands as the example above are used.

More Information

Credentials Manager Cleanup

In some environments, duplicate accounts may be listed within the Credentials Manager. For more information, review: KB3224: How to Clean Up the Credentials Manager in Veeam Backup & Replication.

Security Statement

Since the account credentials provided to Veeam Backup & Replication are used to make connections to other resources in the environment (vCenter, Hyper-V, Linux, Azure, etc.), they must be stored in such a way that allows the software to decrypt the stored credentials and use them to authenticate to those remote resources. To accomplish this, Veeam Backup & Replication encrypts the credentials and keeps them in its configuration database. The credentials are encrypted using Microsoft Data Protection API and the unique MachineKey of the Windows OS where Veeam Backup & Replication is installed, making it so that the encrypted credentials can only be decrypted using the Windows machine where Veeam Backup & Replication is installed.

This storing of account credentials in a state which the software can later decrypt is common among all software that must take actions on behalf of users. When credentials are stored in such a way that software can later utilize those credentials on behalf of the user, they can also be decrypted by any user with access to that machine by using the same decrypt commands the software would use. In that same way, so too can the encrypted credentials stored by Veeam Backup & Replication be decrypted by a user who has access to both the configuration database (VeeamBackup) and the Windows server where Veeam Backup & Replication is installed.

For those reasons, it is strongly advised to closely follow all security best practices and limit access to the Veeam Backup Server.

For information about Veeam Backup Server security, review the following:
Veeam Backup & Replication Best Practice Guide - Security Domains

Key Points:

Recovery of credentials stored in the Veeam Backup & Replication Configuration Database requires both of the following:
- Access to the Configuration Database to acquire the encrypted account credentials.
- Access to the Veeam Backup Server to execute the native windows commands to decrypt the account credentials from the database.
Credentials provided by users to Veeam Backup & Replication are encrypted and stored in the Configuration Database.
Credentials can only be recovered by executing code on the machine where Veeam Backup & Replication is installed.
Credentials cannot be recovered with only a copy of the database. The decryption process requires access to the machine that initially encrypted the credentials.
The native Windows commands used to recover the encrypted credentials can be performed by any user.
The ability to recover the account credentials from the Veeam Backup & Replication Configuration Database is not a vulnerability. It is inherent to the nature of any software which must make authentication actions on behalf of a user, such as monitoring software or any other backup software that authenticates with username/password.

Purpose

This article documents how to recover account credentials stored within the Veeam Backup & Replication configuration database.

The procedure detailed in this article can only be used to recover account credentials and not to recover backup encryption passwords.

Solution

It is beyond the scope of Veeam Support to assist with any of the operations outlined in this document. No support will be provided for recovering credentials from the Veeam Configuration Database.

The file and database locations below are based on the default install locations for Veeam Backup & Replication.

Credential Recovery Procedure

Collect the encrypted password value from the Veeam Backup & Replication configuration database using the following query.
Refer to KB1471 for Veeam Database Location Details.

Microsoft SQL Query:

SELECT user_name,password,description,change_time_utc FROM [dbo].[Credentials]
                           

SQL Server Management Studio

PostgreSQL Query:

SELECT user_name,password,description,change_time_utc FROM credentials
                           

pgAdmin

Update the following PowerShell script using the encrypted password value from the database, and then Execute.

Add-Type -AssemblyName 'system.security'
$context = '<encrypted-password-value-from-database>'
$data = [Convert]::FromBase64String($context)
$raw = [System.Security.Cryptography.ProtectedData]::Unprotect($data, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
[System.Text.Encoding]::UTF8.GetString($raw)
                           

More Information

Credentials Manager Cleanup

In some environments, duplicate accounts may be listed within the Credentials Manager. For more information, review: KB3224: How to Clean Up the Credentials Manager in Veeam Backup & Replication.

Security Statement

Since the account credentials provided to Veeam Backup & Replication are used to make connections to other resources in the environment (vCenter, Hyper-V, Linux, Azure, etc.), they must be stored in such a way that allows the software to decrypt the stored credentials and use them to authenticate to those remote resources. To accomplish this, Veeam Backup & Replication encrypts the credentials and keeps them in its configuration database. The credentials are encrypted using Microsoft Data Protection API and the unique MachineKey of the Windows OS where Veeam Backup & Replication is installed, making it so that the encrypted credentials can only be decrypted using the Windows machine where Veeam Backup & Replication is installed.

This storing of account credentials in a state which the software can later decrypt is common among all software that must take actions on behalf of users. When credentials are stored in such a way that software can later utilize those credentials on behalf of the user, they can also be decrypted by any user with access to that machine by using the same decrypt commands the software would use. In that same way, so too can the encrypted credentials stored by Veeam Backup & Replication be decrypted by a user who has access to both the configuration database (VeeamBackup) and the Windows server where Veeam Backup & Replication is installed.

For those reasons, it is strongly advised to closely follow all security best practices and limit access to the Veeam Backup Server.

For information about Veeam Backup Server security, review the following:
Veeam Backup & Replication Best Practice Guide - Security Domains

Key Points:

Recovery of credentials stored in the Veeam Backup & Replication Configuration Database requires both of the following:
- Access to the Configuration Database to acquire the encrypted account credentials.
- Access to the Veeam Backup Server to execute the native windows commands to decrypt the account credentials from the database.
Credentials provided by users to Veeam Backup & Replication are encrypted and stored in the Configuration Database.
Credentials can only be recovered by executing code on the machine where Veeam Backup & Replication is installed.
Credentials cannot be recovered with only a copy of the database. The decryption process requires access to the machine that initially encrypted the credentials.
The native Windows commands used to recover the encrypted credentials can be performed by any user.
The ability to recover the account credentials from the Veeam Backup & Replication Configuration Database is not a vulnerability. It is inherent to the nature of any software which must make authentication actions on behalf of a user, such as monitoring software or any other backup software that authenticates with username/password.

Purpose

This article documents how to recover account credentials stored within the Veeam Backup & Replication configuration database.

The procedure detailed in this article can only be used to recover account credentials and not to recover backup encryption passwords.

Solution

It is beyond the scope of Veeam Support to assist with any of the operations outlined in this document. No support will be provided for recovering credentials from the Veeam Configuration Database.

The file and database locations below are based on the default install locations for Veeam Backup & Replication.

Credential Recovery Procedure

Collect the encrypted password value from the Veeam Backup & Replication configuration database using the following query.
Refer to KB1471 for Veeam Database Location Details.

SELECT user_name,password,description,change_time_utc FROM [dbo].[Credentials]
                           

SQL Server Management Studio

Update the following PowerShell script using the encrypted password value from the database, and then Execute.

Add-Type -AssemblyName 'system.security'
$context = '<encrypted-password-value-from-database>'
$data = [Convert]::FromBase64String($context)
$raw = [System.Security.Cryptography.ProtectedData]::Unprotect($data, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
[System.Text.Encoding]::UTF8.GetString($raw)
                           

More Information

Credentials Manager Cleanup

In some environments, duplicate accounts may be listed within the Credentials Manager. For more information, review: KB3224: How to Clean Up the Credentials Manager in Veeam Backup & Replication.

Advanced Script Example

The script below will automatically identify the location of the VeeamBackup database from the registry values used by Veeam Backup & Replication and output all credentials in plaintext.

Script Requirements

This script was written for Veeam Backup & Replication 11a and older.
The script must be run on the Veeam Backup Server.
The script must be run from an Administrative PowerShell console.
The account used to execute the script must have access to the Configuration Database.
^{Use the command whoami in the Administrative PowerShell console to verify which account will execute the script.}

Support Statement

This script is provided as a courtesy and is not supported by Veeam Technical Support. Use at your own risk.
Veeam Technical Support will not assist in the usage or troubleshooting of this tool.

function Invoke-SQL {
    param(
        $dataSource,
        $sqlQuery = $(throw "Please specify a query."),
        $database
      )
    $connectionString = "Data Source=$dataSource; " + "Integrated Security=SSPI"   
    if ($database.Length -gt 0) { $connectionString + ";Initial Catalog=$database" }
    $connection = new-object system.data.SqlClient.SQLConnection($connectionString)
    $command = new-object system.data.sqlclient.sqlcommand($sqlQuery,$connection)
    $connection.Open()
    $adapter = New-Object System.Data.sqlclient.sqlDataAdapter $command
    $dataset = New-Object System.Data.DataSet
    $adapter.Fill($dataSet) | Out-Null
    $connection.Close()
	return $dataset
}
function DecryptString {
    param(
        [string] $encryptedString
    )  
    [reflection.assembly]::LoadWithPartialName('System.Security') | Out-Null
    $unprotectedBytes = [System.Security.Cryptography.ProtectedData]::Unprotect([System.Convert]::FromBase64String($encryptedString), $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
    $string = [System.Text.Encoding]::UTF8.GetString($unprotectedBytes)
    return $string
}

function QueryCredentials {
    param(
        [string] $dataSource,
        [string] $dbName
      )
    
    $query = "SELECT user_name, password, description FROM [dbo].[Credentials]"
    $dataSet = Invoke-SQL $dataSource $query $dbName

    $results = @()
    foreach ($row in $dataSet.Tables[0].Rows) {
        $password = "<not set>"
        if ($row.password -ne "") {
            $password = DecryptString($row.password)
        }
        $results += [pscustomobject]@{login = $row.user_name; password = $password; description = $row.description}
    }

    $results | Format-Table
}

$brKey = Get-ItemProperty "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication"

if ($brKey -eq $null) {
    $sqlKey = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server"
    $installedInstances = $sqlKey.InstalledInstances
    foreach($instance in $installedInstances) {
        $dataSource = "localhost" + "\" + $instance
        $dbName = "sys"
        $query = "select [name] as database_name, database_id, create_date from sys.databases order by name"
        $dataSet = Invoke-SQL $datasource $query
        $databases = @()
        foreach($row in $dataSet.Tables[0].Rows) {
            if ($row.database_name -like "*veeam*") { $databases += $row.database_name }
        }

        foreach($dbName in $databases) {
            QueryCredentials $dataSource $dbName
        }
    }
} else {

    $serverName = $brKey.SqlServerName
    $instanceName = $brKey.SqlInstanceName
    $dbName = $brKey.SqlDatabaseName
    $dataSource = $serverName + "\" + $instanceName

    QueryCredentials $dataSource $dbName

}
                           

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

How to Recover Account Credentials From the Veeam Backup & Replication Database

Security Statement

Key Points:

Purpose

Solution

Credential Recovery Procedure

More Information

Credentials Manager Cleanup

Security Statement

Key Points:

Purpose

Solution

Credential Recovery Procedure

More Information

Credentials Manager Cleanup

Security Statement

Key Points:

Purpose

Solution

Credential Recovery Procedure

More Information

Credentials Manager Cleanup

Advanced Script Example

Script Requirements

Trending Articles