Hardened backup repository on Linux distro – Veeam setup

To prevent attackers or insiders destroy your infrastructure backups, you must use something called an immutable backup repository. This rather stranger name means basically that even with admin credentials you cannot delete the backups from that backup repository during certain period of time. It's hardened backup repository on Linux distro.

If you're a victim of an attack and all your infrastructure including backups on traditional backup repositories gets deleted, the backup stored on the hardened backup repository will survive. This is the perfect scenario to send your backup copy jobs to that repository indeed.

With Veeam Backup and Replication, you can configure that option easily. When you add a Linux repository, you can select the Make recent backups immutable check box and specify the time period while backup files must be immutable. During this period, backup files stored in this repository cannot be modified or deleted.

In this post we'll show the necessary steps to achieve the configuration. I'm sure you could find this topic already elsewhere, but for the sake of my notes, for my long term readers and supporters, I wanted to do it myself in the lab. The lab is only a virtual lab (as I'm on the move) so I'm using VMware Workstation with a DC, Veeam Backup and Ubuntu VM. You can find the list of supported Linux distros on Veeam's post here.

Hardened backup repository on linux distro – 3 phases:

1. Install Linux server and configure dedicated accounts, create a backup folder, and set ownership and privileges.
2. Add this Server to Veeam backup infrastructure (via Veeam console)
3. Add the backup repository role to the Linux server and enable the immutability feature.

Step 1: Install the Linux server and create storage directory

We won't go into details on how to install Linux. It's quite different for everyone. We can show the process of creating an account (or using the one which is created when you install Linux). I used an account called “student”.

I created a folder name immutable backup via cmd.

mkdir <folder_path>

where <folder_path> — path to the folder you are creating.

To assign the folder's owner:

chown -R owner:group <folder_path>

To allow access to the folder only for its owner and root account:

chmod 700 <folder_path>

I set ownership and permissions.

Note: Optionally you can create and use XFS partition which allows you to use fast-clone technology. It's not mandatory thought for using immutability. With XFS you can get the block clone features, especially since when you use Forward Incremental with periodic fulls. It will enable faster backup jobs (faster merges) and reduce space consumed when using synthetic full backups.

Create XFS file system on dev/sdb

via this command:

mkfs.xfs -b size=4096 -m reflink=1,crc=1 /dev/sdb

I'm sure you can find the info elsewhere if you want to use fast-clone (recommended).

Step 2: Add the server to Veeam Backup infrastructure

Open your Veeam console and navigate to Backup infrastructure > Add Repository > Direct Attached storage > Linux > Add New (provide IP) 

and Add credentials. Pick the Single-use credentials for the hardened repository.

Step 3: Add the backup repository role to the Linux server and enable the immutability feature.

Continue the assistant and check that the installation of the Veeam datamover on the Linux system takes place remotely.

Specify the folder path on the next screen…..

Lastly you can click the Populate button to see the capacity of the storage.

You're done. You have your immutable repository created. You should find this repository within your Veeam backup server allong with all your other repositories.

How does that Veeam Immutability work?

From the docs:

After you add a hardened repository with immutability:

Veeam Backup & Replication creates a .veeam.N.lock file with the information about immutability time period of each backup file in the active chain. The .veeam.N.lock files are stored on a Linux host.

Backup files become immutable for the configured time period (minimum 7 days, maximum — 9999). The immutability period is extended only for the active backup chain. If there are several chains in the backup, then Veeam Backup & Replication does not extend the immutability for old backups in the chain.

After the time period expiration, Veeam Backup & Replication makes backup files non-immutable again so they can be deleted or modified. The count of the immutability period indicated in the backup repository settings starts from the moment the last restore point in the active chain is created.

For example:

The full backup file of the active backup chain was created on January 12. The first increment was created on January 13. The second and last increment was created on January 14.
The immutability period indicated at the backup repository settings is 10 days.

The backup files will be immutable until January 24: the date of the last restore point creation (January 14) + 10 days.

More posts from ESX Virtualization:

• VMware vCenter Converter Discontinued – what’s your options?
• How to upgrade VMware VCSA 7 Offline via patch ISO
• vSphere 7.0 U3C Released
• vSphere 7.0 Page [All details about vSphere and related products here]
• VMware vSphere 7.0 Announced – vCenter Server Details
• VMware vSphere 7.0 DRS Improvements – What's New
• How to Patch vCenter Server Appliance (VCSA) – [Guide]
• What is The Difference between VMware vSphere, ESXi and vCenter
• How to Configure VMware High Availability (HA) Cluster

Stay tuned through RSS, and social media channels (Twitter, FB, YouTube)