Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Password protected tapes.

Created: 31 Dec 2012 • Updated: 07 Feb 2013 | 9 comments
This issue has been solved. See solution. challenge.  I inserted an old tape full backup of my previous file server shares to inventory and catalog to test that I can indeed pull data from the old tapes and I got the following error "The password provided in the job properties does not match the password for this media."  We/I (inherited the old configuration) did not password protect the tapes unless it was automatcially applied by BEX10d when new tapes were added to the media set during preconfigured backup jobs ...configured by my predecessor.  I don't think so b/c i have worked with these tapes before to do restores and did not require to enter a password.  

I came across a users having the same error and they were referred to TECH194494.  Is the only work around?  If so, i'd need some clarification.  I don't understand in the solution how runnnig the commands from the BEMCLI circumvents the password prompt issue for the tape in BEX2012.  Can anyone explain the commands (eg. "enter password on the blank line" then "use the $pass variable in the catalog job"..get-bemedia B2D000031??).  "To catalog backup to disk media", B2D, does not seem to refer to Tape media or restore from tape media.


Comments 9 CommentsJump to latest comment

pkh's picture

Do take note of what Colin Weaver has to say about password protected tapes in this discussion


The $pass line is to set up the secure string for the password.  When you enter the command as stated in the article, you will get a prompt (blank line).  You enter the password and now $pass is a Powershell secure string which contains your password.  This string is then used in the next line.  B2dxxx is a representative media.  You would substitute your tape label here

ksdst1's picture

Ok....So I am still unclear about the old BEX 10d system I inheritted in regard to possible password protection vs. possible encryption and how that maybe affecting trying to catalog tapes produced by that setup on my newly fresh (not upgraded) install of BEX 2012 on the new file server and being prompted for a password.  

When my predecessor left, I continued to use the same backup scheme and never had to enter a media password to either run the existing backup jobs (full/incemental/differential) nor did I have to enter a media password when I had to restore some data from tapes.  Given this, can I rule out that the tapes were/are password protected?  

If so, after reading TECH194494 and other entries here, I get the impression that there could be an issue with tape media from BEX 10d originally having used encryption causing the prompt when trying to calaogue with BEX 2012, and thus the message to enter a media password.  Is this correct and if so, does this apply to both software encryption and hardware encryption in BEX 10d? I 99.9% sure, without currently looking at it, that the BEX 10d schema didn't include software encryption but may have included hardware.

My predecessor did not leave either a tape media password nor an encryption password.  If it is a matter or a hardware encryption issue in BEX 10d that is propting the need for a password when cataloging in BEX2012, could/would the password be tied to the "winodws user account" that was used when configuring the original backup jobs?  

Lastly, I still have the original file server w/ BEX 10d (less the tape drive that I pulled but I can re-install it).  Would it be majorly helpful to have a look at the old backup schema?  It's not the easiest b/c I'd have to shut down the new file server in order to rename the old one back to it's orignal name and maybe re-add it to the domain.  Right now when I log in locally to the server with it's new name, I can't access BEX w/ the error "BEX services are not running" that does not change when I enter log in credentials there at the prompt.   I assume this is the case b/c the BEX db and such where running under the original server name and not it's new name or log in account.


pkh's picture

Password protected tape is different from encrypted tape.  It would be helpful to know what was used in your BE 10d installation.  If it is encryption (hardware or software), you would be prompted for the encryption passphrase when you try to use it.  You just need to enter the pass phrase and you would be able to use the tape.  Better still, just create an encryption key with the passphrase in BE 2012.  if you can use the tape without being prompted, then you are home free.  Otherwise, you are probably dealing with a password protected tape.

Colin Weaver's picture

For info I believe Encryption was introduced in version 11.x so 10D would be tape passwords. As such if the customers jobs were created on 10.x and never recreated during the upgrade processes then any tape password in the job configuiration in 10D will still be applied.

pkh's picture

Thanks.  I do not know the history of encryptioin.  If I am not mistaken, the user did a fresh install of BE 2012 and the tapes are from BE 10d.  As such, the tape will definitely be password protected, rather than encrypted.  There is no need for him to load BE 10d to check whether the tapes are password protected or encrypted.

Colin Weaver's picture

OK so back to OP problem

The tapes appear to have a password that would have come from the job configuration (not the media set configuration) of the previous installation.

The reason you do not need a password when you did the restore before is that you were stil using 10.x ( and the tapes were still inventoried and cataloged on the system). The 10.x (or earlier) password mechanism protects the media header and the catalog access, once you have the catalog the data is accessible.

You will need the password that was applied to the backups to use TECH194494 as that article does not circumvent the password it circumvents the fact that you have no where to enter the password in the BE 2012 admin console by giving you a command line way to enter it.

My guess from the way you posted is that because you did not know the password was applied to the tapes that you also do not know the password which then means you cannot use TECH194494

Backup Exec does not have a way to bypass the password on a tape, however the tape password is NOT encryption as such a data recovery company should be able to retrieve data from those tapes or if you have the 10.x database and catalogs folder you may be able to recover the data using this (with a 10.x media server)

ksdst1's picture

Great info all and Tnx!!  I have just gotten back to this post after a bunch of fact finding measures.  I have imaged the original file server system and have it running on a test machine.  In 10d there is a media password "check box" option within the job desctiption dialog box.  All the jobs that were set in my inherited BE setup had the check box ticked, therefore the tapes are password protected.  Without having the schema visible earlier, I was getting encryption and compresion mixed up.  Compression was set to hardware if possible-no software.  Given this and that I don't know the media password that was set for the jobs I think I will try to go through the long upgrade process through previous version to try and eventually get to BE 2012 with original catalogs intact thus eliminating my need to "re-catalog" in BE2012 and being prompted for a media password.....hopefully this will succeed to be able to pull data from the tapes even if i don't still know the original media password.....does this seem feasible?


Colin Weaver's picture

That does seem feasible - however when going through this upgrade process only use it for restore capability. Delete and recerate any backup the jobs which will remove the password that a) you do not know) and b) you did not know was part fo teh job configuration.


do this on a test server for restore purposes and keep your current production server (but still completely recreate any jobs that might have a hidden password buried in them.)

ksdst1's picture

Tnx for the response....i take your point.  I am hoping to only "upgrade" the catalogs to BE 2012 so that I can migrate them to my BE 2012 production server.  

I'd love to use your second suggestion but unfortunately I only have the one tape drive that I can not pull from the production server and connect it to the test server without causing a lot of pain.