Loading...
Loading...
All credentials and backup encryption keys become unusable after manually migrating Veeam Backup and Replication software to a different machine. The term "manual migration," in this case, refers to the process of installing Veeam Backup & Replication on a new system and directing it to use the configuration database from a prior Veeam Backup & Replication installation on a different machine. Example: Veeam Backup & Replication was initially deployed on a virtual machine with its configuration database hosted on a remote dedicated SQL server. As the company expanded, it was decided to construct a dedicated physical server for running Veeam Backup & Replication. The original Veeam Backup & Replication server was decommissioned, and the software was then installed on the new physical server. During this installation, the installer was set to connect to the pre-existing configuration database on the remote dedicated SQL server. Although Veeam Backup & Replication successfully completed the installation and preserved job configurations, the credentials stored in the configuration database could not be decrypted and used due to the change in hardware.
Veeam Backup & Replication encrypts saved credentials using native Microsoft Data Protection API, a certified cryptographic solution built-in to all Windows OSes, by leveraging the unique MachineKey of the Windows OS where the software is installed to ensure the saved credentials can only be decrypted locally on the backup server – but never from a copy of configuration database. The password encryption is further secured by utilizing an encryption salt unique to each backup server and stored in a registry key only accessible by an account with local administrator privileges. These measures ensure that saved credentials can only be decrypted locally on the backup server and by users with the highest privileges. Accordingly, a new Veeam Backup & Replication deployment cannot decrypt that data if installed on a different machine, because it has neither the original machine's unique MachineKey nor the encryption salt from the original machine.
The recommended method to migrate the Veeam Backup & Replication software is documented here:Migrating Veeam Backup & Replication to Another Backup Server If a configuration backup is not available and manual migration is the only option available, after doing so, all encrypted data within the database will have to be manually updated.Advice: If it is not possible to migrate Veeam Backup & Replication according to the directions in the user guide, please get in touch with Veeam Support for assistance. Use the "Manage Credentials" option to re-enter all passwords. All encrypted backup sets need to be removed from the configuration and then rescanned back into the inventory, their decryption password provided, and then remapped to their respective jobs. If you are using Enterprise Manager, please contact Veeam technical support to remove the crypto-info about the EM master key from the VeeamBackup database.
Click on a version to see all relevant bugs
Veeam Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.