Requirements and Limitations

For the hardened repository, consider the following requirements and limitations.

Linux Server

The role of the hardened repository can be assigned to a Linux machine with local or remotely attached block storage. The machine must meet system requirements for backup repositories.

Note

To reduce the attack surface, use a physical machine with local storage. For RAID configuration, recommendations are the following:

[For the operating system] RAID 1 on SSDs with at least 100 GB disk space should be used.
[For backup data] RAID 6/60 with write-back cache should be used. At least one disk must be configured for the drive roaming.
Internal disk cache must be disabled.
RAID stripe size should be 128 or 256 KB.

The Linux distribution must be 64-bit due to Veeam Data Mover requirements. If you use the following Linux distributions, you also need to upgrade Veeam Backup & Replication to version 12.1.2 (build 12.1.2.172):

RHEL 8 and 9 with DISA STIG profile enabled.
Rocky Linux 9 with DISA STIG profile enabled.

The Linux machine file system must support immutable files and extended attributes modified by the chattr and setxattr commands. We recommend using XFS for performance and space efficiency reasons (block cloning support).
As the hardened repository requires the block storage, you cannot use the following storage types:

NFS share or a Linux machine with the mounted NFS volume.
⁠A Linux machine with the mounted SMB (CIFS) volume.

Depending on the Linux distribution, Veeam services use one of the following Linux firewall managers to operate correctly:

firewalld
ufw
iptables
[For IPv6] ip6tables

If none of these firewall managers are installed, make sure that you open all required ports manually. For more information, see Ports.

You must add the Linux machine to the Veeam Backup & Replication console as a managed server. The hardened repository cannot be shared between different Veeam Backup & Replication servers.
The Linux machine should have redundant network connection.
Veeam Agent for Linux must not be installed on the Linux server.

Repository

For the separate directory that you created for the backup data, consider the following:

Both owner and group must be the user account you use to connect to the Linux server.
Directory permissions must be 0700.
Directory must not have a sticky bit.

To store backup files in a repository, use only a forward incremental backup method with enabled active full backup or synthetic full backup. Once a backup file becomes immutable, it can be merged or deleted only when the immutability time period expires. For this reason, you cannot select a reverse or a forever forward incremental backup method.

For importing a backup, use VBK backup files. Metadata files of a backup chain (.VBM) cannot be immutable because they are updated on every job pass.
Veeam Backup & Replication does not support symlinks in the path to the hardened repository.
Only Veeam Data Mover Service child processes can run under the root account on a hardened repository.

Immutability Feature

To use the immutability feature for backup copy jobs, enable the GFS retention policy. For more information, see Long-Term Retention Policy (GFS).

Do not use the immutability feature for a Nutanix Mine infrastructure. As Mine repositories contain thin-provisioned disks, there may be the case when Veeam Backup & Replication uses full storage capacity of a repository and cannot delete backup files from the file system.