Deploying Hardened Repository
Deploying a hardened repository is similar to setting up a Linux backup repository but the hardened repository is an exclusive role on a server with single-use credentials and with enabled Make recent backups immutable for check box.
We recommend to build a hardened repository with both single-use credentials and immutability features to maximize data security. You can still add a repository with single-use credentials but without immutability.
If you want to deploy a hardened repository, perform the following steps:
- Prepare the directory on the Linux server for backups.
- Add the Linux server to the backup infrastructure.
- Add the backup repository role to the Linux server and enable the immutability feature.
If you want to use the Linux repository existing before Veeam Backup & Replication 11, you can upgrade it to the hardened repository.
Create a separate folder where immutable backups will be stored. Allow access to this folder only for the account that you plan to use to connect to the Linux server. Use the following commands:
- To create the folder:
where <folder_path> — path to the folder you are creating.
- To assign the folder's owner:
chown -R owner:group <folder_path>
Both owner and group can be the account that you plan to use to connect to the Linux server.
- To allow access to the folder only for its owner and root account:
chmod 700 <folder_path>
Alternatively, you can use a Linux server that is already added to a backup infrastructure. To add new server, use the New Linux Server wizard. For more information, see Adding Linux Servers.
Pay attention to the following settings at the Step 3. Specify Credentials and SSH Settings:
- Use temporary credentials to avoid storing the credentials in the Veeam Backup & Replication configuration database. To do that, click Add and select Single-use credentials for hardened repository.
- In the Credentials window, within the user account that you plan to use to connect to the Linux server select the Use "su" if "sudo" fails check box. The Elevate account privileges automatically check box is used by default. Both selected check boxes mean if the user is not in the sudoers file you can use su command instead of sudo.
After the user will have temporary root- or sudo-permissions you can remove the user from the sudo group after the server is added. Further, you can use the immutability feature with an existing repository if you have enough rights to use this repository as a user without root credentials. For more information about these check boxes, see Linux Accounts (User Name and Password).
Use the New Backup Repository wizard to add new backup repository. For more information, see Adding Backup Repositories. Pay attention to the following steps:
- In the Add Backup Repository window, select the Direct Attached Storage > Linux type of the backup repository.
- At the Step 4. Configure Backup Repository Settings, select the Make recent backups immutable for check box and specify the immutability time period.
After you added the host (for single-use credentials) or the repository (for persistent credentials), disable SSH connection for the account that you plan to use to connect to the Linux server. If you can work with the server from the console, disable SSH connection for the server itself.
Once a backup file becomes immutable, it can be merged or deleted only when the immutability time period expires. For this reason, if you want to store backup files in a hardened repository with immutability, you must enable active full backup or synthetic full backup in the backup job settings.
To upgrade the Linux repository existing before Veeam Backup & Replication 11 to the hardened repository, perform the following steps:
- Change access to the folder where immutable backups are stored. Allow access to this folder for the account that you plan to use to connect to the Linux server. Use the following command:
chown -R username:groupname <folder_path>
where <folder_path> — path to the folder.
- Edit server settings and use Single-use credentials for hardened repository at the Step 3. Specify Credentials and SSH Settings.
- Editing settings of the backup repositories and select the Make recent backups immutable for check box and specify the immutability time period at the Step 4. Configure Backup Repository Settings.