Configuring Security Settings
When you configure the Veeam Agent management infrastructure in Veeam Backup & Replication, you can specify what security settings Veeam Backup & Replication will use to establish a secure connection between the backup server and protected computers. By default, Veeam Backup & Replication offers the following security settings:
- To establish a secure connection between parties, Veeam Backup & Replication uses the default self-signed TLS certificate.
- Veeam Backup & Replication allows all computers that run a Linux OS, except computers with pre-installed Veeam Agents, to establish a connection to the backup server using the SSH fingerprint. To learn more about computers with pre-installed Veeam Agents, see Deploying Veeam Agents Using Generated Setup Files.
Keep in mind that default security settings are only for testing and evaluation purposes. To prevent potential security issues, you can change security settings. For example, you can use a custom TLS certificate and verification of Linux host SSH fingerprints.
To specify the security settings, do the following:
- From the main menu, select Options.
- Click the Security tab.
- In the Certificate section, check information about the currently used certificate. By default, Veeam Backup & Replication uses a self-signed TLS certificate generated during the Veeam Backup & Replication installation process. If you want to use a custom certificate, click Install and specify a new certificate. To learn more, see Managing TLS Certificates.
- In the Linux hosts authentication section, specify how Veeam Backup & Replication will add Linux-based protected computers to the list of trusted hosts. You can select one of the following options:
- Add all discovered hosts to the list automatically — with this option enabled, Veeam Backup & Replication allows all discovered computers that run a Linux OS to connect to the backup server. This scenario is recommended for demo environments only.
- Add unknown hosts to the list manually (more secure) — with this option enabled, only the following Linux-based computers can connect to the backup server:
- Protected computers that have already established a connection to the backup server and have their fingerprints stored in the Veeam Backup & Replication database. Veeam Backup & Replication displays the number of such computers in the Trusted hosts field. You can export the list of trusted Linux computers to a known_hosts file. To do this, click Export and specify a path to the folder to save the file.
- Protected computers specified in the known_hosts file imported to Veeam Backup & Replication. To import a known_hosts file, click Import and specify a path to the folder where the file resides.
When you specify a trusted host in the known_hosts file, it must follow the same format as the ~/.ssh/known_hosts file. It must include the network name hash, the type of key, and the public key.
Example of a trusted host entry:
|1|y/XiVUB2z/ZBb3vuOYm0x9RUiQA=|9zTpxEaAKbGPe7JyS/OyIWvsTz8= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHhO7S1tp0EAgainstjkXSAi4a+JIPKnTUpABC8BGyWk9 |
- Protected computers added to the list of trusted hosts in the Veeam Backup & Replication console. To learn more, see Adding Computers to Trusted Hosts List.
Computers that are not in the list of trusted hosts cannot connect to the Veeam backup server and download Veeam Agent for Linux installation packages during discovery.
- Click OK.
TIP |
To learn more about other security settings available on the Security tab, see the Configuring Security Settings section in the Veeam Backup & Replication User Guide. |
Related Topics