Forum Discussion

TapeDude's avatar
TapeDude
Level 3
3 months ago

Recovering encryption key from Backup Exec 14.1 SQL database

So... I have to recover some data from a Backup Exec LTO. The desired backup set is encrypted, and, naturally, no one remembers the keyname/passphrase. So I can't recreate it.

However... one of the other backup sets on the tape is the Backup Exec SQL database (BKUPEXEC), and it is not encrypted. My understanding is that the database can be restored, and it will contain the magic key... but it's not at all clear to me how I go about restoring the database.

I am using BE 15 (14.2) and have bumbled about trying to restore BKUPEXEC (starting with the master, as recommended by the restore dialog hints) to the same installation, and to an installation on a different machine, but all I get is messages like: 

Completed status: Failed
Final error: 0xe00084a4 - The SQL Server system databases (master, model, msdb) and the Backup Exec database (bedb) cannot be directly restored on the active Backup Exec SQL Server instance.  It can be accomplished with a remote media server. Please consult documentation for instructions on how to accomplish this task.
Final error category: Job Errors

For additional information regarding this error refer to link V-79-57344-33956

the V-79-57344-33956 link is dead. I've tried to find other references but only found this, here:

https://vox.veritas.com/discussions/backup-exec/the-active-backup-exec-sql-server-instance-cannot-have-its-master-database/115808

which seems to be implying you can only restore a database (using BEUtil.exe) from backup files on disc... but that doesn't make any sense, why would they allow you to back the databases onto tape if you can't restore them somehow??

Any pointers would be very welcome!

2 Replies

  • ajin's avatar
    ajin
    Level 2
    3 months ago

    If your BEDB backed up to tape is readable then restore it to a separate SQL instance using BEUtility and read the key from the recovered database. If the BEDB files are corrupt and you cannot restore them normally then a specialist repair tool such as Stellar Repair for MS SQL can repair damaged MDF and NDF files, preview the recovered database objects and let you export the encryption key/table back into SQL. I recommend trying Stellar’s free demo first so you can confirm the key is recoverable before purchasing.

  • pkh's avatar
    pkh
    Moderator
    3 months ago

    The encryption key cannot be extracted from the BEDB.  It can only be used if it is present in the BEDB.

    You need to do the following

    1) Restore the BEDB.bak to disk if it is found on the tape.

    2) Use BEUtil to restore the backup file to your BEDB.  Note that this will bring the BEDB to the state when the backup is taken.  Everything since that point would be gone.

    3) Restore the tape and hopefully the encryption password is in the BEDB.

    For step 2, if you don't want to wipe out your existing BEDB,  You can either backup the BEDB, restore the BEDB from the backup, restore the tape and then restore the BEDB to the present state.  Or, create brand-new BE Server on another machine,  restore the old BEDB and then restore the tape.

    P.S.  For newer versions of BE, the BEDB itself is encrypted.  If the BEDB encryption key is not backed up and used, then the BEDB cannot be restored from its backup.