Video Screencast Help

SSR 2013 Password Protection

Created: 07 Jan 2014 | 3 comments
I have been evaluating a trial version and have created some password protected and encrypted backups.
 
If I double-click one of the .v2i files, I'm prompted to enter the password (as expected).
 
However, if I double-click the .sv21 file, the SSR 2013 Granular Restore Option window opens and I am able to recover the password protected and encrypted files WITHOUT being prompted for a password!!!
 
This is VERY disturbing! Can someone explain this?
 
Alan
 
Operating Systems:

Comments 3 CommentsJump to latest comment

Chris Riley's picture

I wonder if this is the issue you are seeing?

http://www.symantec.com/docs/TECH154882

To confirm this, delete the following file and try again to see if you are asked for a password when opening the sv2i file:

\Documents and Settings\All Users\Application Data\Symantec\RPAM\RPAM_Cache.dat

Gonad's picture

Chris,

That's exactly the problem I'm seeing and it looks like it's been known for several years!

It's a serious security issue for those of us with sensitive data to protect.

I can't believe that Symantec know about it and yet have done nothing to fix it.

BTW I can't find RPAM_Cache.dat anywhere.

Alan

Chris Riley's picture

You are right, this has been an issue for a few years now. I have raised this internally again but ultimately the decision to fix (or not) is out of my control.

One thing that is worth mentioning is this; my understanding is that the password is cached on a per-user basis. In other words, if user A logs in and provides the password, it gets cached. If user B logs into the same machine and tries to access the recovery point, they will be prompted for the password.

I don't know the exact scenario for your environment but maybe this makes it less of a security threat for you. Let me know if you have any additional questions or comments.

Chris