How To Deploy Hardened Repository

In this article

    Before you deploy a hardened backup repository, check limitations and considerations.

    General recommendations to maximize the repository security:

    • Add a Linux server that you want to use as a backup repository under non-root credentials.
    • Use a newly-added host, not an old repository.
    • Use single-use credentials for a hardened repository. If the Veeam Backup & Replication is compromised, the attacker will not be able to connect to the host because single-use credentials are not stored in the Veeam Backup & Replication database.
    • Disable SSH connection on a hardened repository or disable specific users so that they do not have an access via SSH.

    Step-by-Step Walkthrough

    If you want to deploy a hardened repository, perform the following steps:

    1. Prepare the directory on a Linux server for backups.
    2. Add the Linux server to Veeam & Backup Replication infrastructure.
    3. Add the backup repository role to the Linux server and enable the immutability option.

    Step 1. Prepare Directory on Linux Server for Backups

    Create a separate folder where immutable backups will be stored. Allow access to this folder only for the account that you plan to use to connect to the Linux server. Use the following commands:

    mkdir <folder_path>

    chown -R owner:group <folder_path>

    chmod 700 <folder_path>

    where <folder_path> — path to the folder you are creating.

    Both owner and group can be the account that you plan to use to connect to the Linux server.

    Step 2. Add Linux Server to Backup Infrastructure

    Alternatively, you can use a Linux server that is already added to the backup infrastructure.

    To add new server, use the New Linux Server wizard. For more information, see Adding Linux Servers. Pay attention to the following settings at the Step 3. Specify Credentials and SSH Settings:

    • Use temporary credentials to avoid storing the credentials in the Veeam Backup & Replication database. To do that, click Add and select Single-use credentials for hardened repository.
    • In the Credentials window, within the user account that you plan to use to connect to the Linux server, select the Elevate account privileges automatically and the Use "su" if "sudo" fails check boxes. Further you can use the immutability option with an existing repository if you have enough rights to use this repository as a user without root credentials. For more information, see Linux Accounts (User Name and Password).

    Step 3. Add Backup Repository Role to Linux Server and Enable Immutability Option

    Use the New Backup Repository wizard to add the backup repository. For more information, see Adding Backup Repositories. Pay attention to the Step 4. Configure Backup Repository Settings: select the Make recent backups immutable for check box and specify the immutability period.

    After you added the host (for single-use credentials) or the repository (for persistent credentials), disable SSH connection for the account that you plan to use to connect to the Linux server. If you can work with the server from the console, disable SSH connection for the server itself.


    Once a backup file becomes immutable, it can be merged or deleted only when the immutability time period expires. For this reason, if you want to store backup files in a hardened repository, you must enable active full backup or synthetic full backup in the backup job settings.