Video Screencast Help

Backup Exec 2010 Encryption Key problem

Created: 03 Oct 2012 | 6 comments

Hi all,

Backup Exec 2010R2 media server in a datacentre.

Its on a workgroup - local admin account installed Backup Exec and is the only user ever to login! Local admin password has never changed!!!!

Backs up 4 different domains via remote agents on 4 different network ranges - I have a backup exec domain user account for each domain.

The same encryption key covers 5 jobs i have running for all 4 domains. Encryption key is restricted.


1 of the domains has had its backupexec domain user account password changed.

I have updated the chaged password in the Backup Exec Network logons screen for that user.

Since this change i am no longer able to edit and submit any jobs.

When i go to submit the selection change i get the error:

The restricted encryption key 'xxxxxxx' cannot be used because the key owner could not be validated within the time limit. The host server of the key owner may be inaccessible or busy. Try again later, or choose a different encryption key.

I can create a new key - but cannot use that key with eny exisiting job - throws same above error.

I can create a new key - but cannot use that key with any NEW job i create - throws same above error.

I am unable to remove the encryption key - Delete is greyed out - even though it is not associated with any backup/restore job anymore!

I have removed the encryption from all my jobs now temporarily until i get this resolved.

Can anybody please assist me.


Comments 6 CommentsJump to latest comment

Andrew` Thompson's picture

To say further:

I can create a new encryption key and make it common not restricted and assign that to my exisiting jobs.

But i cannot create any new Restricted keys/ and or use my current restricted key!

I want the key restricted.

How come i cant all of a sudden?

Colin Weaver's picture

I am wondering if another change has occurred in the system as well as what you have defined above. Possibly a change that occurred some time ago but was a not spotted because no changes needed to be made within Backlup Exec

Basically as far as I know the key owner is the logon account used to create the key in the first place. In effect the logon account logged into the windows terminal that was used to start the backup Exec console.

If this logon account no longer exists in the security database (SAM or AD) on the server concerend that you typically we see error messages similar to what you have quoted.

So I guess the question is: Are you logged in as a different user from that originally used to create the jobs and restricted keys and if yes does the original user still exist

Andrew` Thompson's picture

Hi colin

I edited a job only last week - i am 100% certain no changes have been made to the BE media server since then.

I am logged in as the local admin account on the BE media server - it is the only local account on that machine - and the only account that has ever been logged in. No changes to this account have ever changed - same username/password etc.

The key was created back in 2010 and has been fine right up until now.

Im baffled........

Jaydeep S's picture

Which was the user with which you created this key? Was it the same user as the one who's password has been changed. See f this technote helps

Andrew` Thompson's picture

And even if something did change on the BE media server (which im certain it hasnt) but for arguments sake,

Surely i should still be able to create a new restricted key and assign that to my exisiting jobs?

Its not even allowing me to do that - all i can create is common keys?

Andrew` Thompson's picture

@Jaydeep S

No the local admin account on the BE media server has never been changed. This account is the one that created the key back in 2010.

The account that has had its password changed it 1 of the remote domain user accounts that is used to access BE.

BE media server on its own workgroup - backupserver\administrator - Never changed. Same user/pass. Only account to ever login. Created Encryption key.

Domain 1 - domain1\backupexec - had its password changed.