Encryption of User Credentials

When you set up the backup job, you sometimes provide user credentials in the job configuration. You may need to provide user credentials in the following cases:

You target the backup job at a shared folder that requires user authentication.
You target the backup job at a Veeam backup repository that requires user authentication.
You enable application-aware processing for the backup job and need to provide credentials for a database administrator account (Microsoft SQL Server, Microsoft SharePoint or Oracle), or credentials for a user account under which pre-freeze and post-thaw scripts are executed.

Veeam Agent Configurator lets you provide user credentials in two ways:

You can provide user credentials in the input XML file. This method can be used for all credentials records that you need to specify in the backup job configuration. For more information, see How User Credentials are Encrypted.
You can provide user credentials in parameters to the -import command. This method can be used only if you plan to change the backup target to a Veeam backup repository, and the Veeam backup repository requires user authentication. For more information, see Import.

Encryption of User Credentials NOTE

User credentials for a Veeam backup repository can be provided in parameters to the -import command and in the input XML file. Veeam Agent Configurator handles conflict situations in the following way:

If user credentials are provided in the command parameters and in the input XML file, Veeam Agent Configurator uses credentials from the command parameters.
If user credentials are provided only in the input XML file, Veeam Agent Configurator uses credentials from the input XML file.
If user credentials are provided neither in the command parameters nor in the input XML file, Veeam Agent Configurator uses credentials that were previously specified in the backup job configuration.

How User Credentials are Encrypted

To protect you against data interception, Veeam Agent Configurator supports encryption mechanisms for user credentials.

When you set up the backup job configuration, you can encrypt user credentials with one of encryption methods that Veeam Agent Configurator supports. In the input XML file, you must provide the encrypted credentials strings and define which method is used for data encryption. During job configuration import, Veeam Agent Configurator decrypts the credentials with the necessary decryption method.

To encrypt user credentials, you must perform the following actions:

Encrypt the password. The user name is not encrypted; you must provide it as a text string encoded in the Base64 format.

You must encrypt the user password in the following way:

Encode the password as a byte array in the UTF-8 format.
Encrypt the byte array with one of supported encryption methods.
Convert the encrypted byte array to the Base64 format.

Encryption of User Credentials NOTE

If the user password starts with the 'SHA256HEX:' prefix followed by a space ( ), Veeam Agent Configurator considers the remaining part of the string to be a password hash in the hexadecimal format.

In the input XML file, provide the user name encoded in the Base64 format and encrypted user password.
In the CryptType parameter of the input XML file, define the method that Veeam Agent Configurator must use to decrypt the user password. For more information, see Supported Encryption Methods.

Encryption of User Credentials NOTE

During configuration export, Veeam Agent for Microsoft Windows does not store password values to the output XML file.