Encryption of User Credentials
When you set up the backup job, you sometimes provide user credentials in the job configuration. You may need to provide user credentials in the following cases:
- You target the backup job at a shared folder that requires user authentication.
- You target the backup job at a Veeam backup repository that requires user authentication.
- You enable application-aware processing for the backup job and need to provide credentials for a database administrator account (Microsoft SQL Server, Microsoft SharePoint or Oracle), or credentials for a user account under which pre-freeze and post-thaw scripts are executed.
Veeam Agent Configurator lets you provide user credentials in two ways:
- You can provide user credentials in the input XML file. This method can be used for all credentials records that you need to specify in the backup job configuration. For more information, see How User Credentials are Encrypted.
- You can provide user credentials in parameters to the -import command. This method can be used only if you plan to change the backup target to a Veeam backup repository, and the Veeam backup repository requires user authentication. For more information, see Import.
User credentials for a Veeam backup repository can be provided in parameters to the -import command and in the input XML file. Veeam Agent Configurator handles conflict situations in the following way:
How User Credentials are Encrypted
To protect you against data interception, Veeam Agent Configurator supports encryption mechanisms for user credentials.
When you set up the backup job configuration, you can encrypt user credentials with one of encryption methods that Veeam Agent Configurator supports. In the input XML file, you must provide the encrypted credentials strings and define which method is used for data encryption. During job configuration import, Veeam Agent Configurator decrypts the credentials with the necessary decryption method.
To encrypt user credentials, you must perform the following actions:
- Encrypt the password. The user name is not encrypted; you must provide it as a text string encoded in the Base64 format.
You must encrypt the user password in the following way:
- Encode the password as a byte array in the UTF-8 format.
- Encrypt the byte array with one of supported encryption methods.
- Convert the encrypted byte array to the Base64 format.
If the user password starts with the 'SHA256HEX:' prefix followed by a space ( ), Veeam Agent Configurator considers the remaining part of the string to be a password hash in the hexadecimal format.
- In the input XML file, provide the user name encoded in the Base64 format and encrypted user password.
- In the CryptType parameter of the input XML file, define the method that Veeam Agent Configurator must use to decrypt the user password. For more information, see Supported Encryption Methods.
During configuration export, Veeam Agent for Microsoft Windows does not store password values to the output XML file.