Tips for Enhanced Security of Hardened Repository

In this article

    We recommend to follow the tips below to maximize the repository security and protect your data from different attacks:

    • Change file permissions for authentication certificates on the Linux server, and unwelcome non-root users cannot connect to Veeam Data Mover.

    Use the following commands:

    • To create the folder:

    mkdir -p /opt/veeam/transport/certs

    • To change the folder's owner:

    chown owner:group /opt/veeam/transport/certs

    Both owner and group can be the account that you plan to use to connect to the Linux server.

    • To allow access to the folder for root account and account for Veeam Data Mover functioning:

    chmod 700 /opt/veeam/transport/certs

    You can also use chmod 770  to add same permissions to the group.

    Keep in mind that a hardened repository requires persistent Veeam Data Movers. For Veeam Data Mover to be persistent, you must specify an account with equivalent to root permissions when adding the Linux server to the backup infrastructure.

    Important

    During the deployment of Veeam Data Mover, the account that you plan to use to connect to the Linux server requires read and write permissions on the folder where authentication certificates are stored. Make sure the umask command value is no more restrictive than 022. For more information, see this Veeam KB article.

    For security purposes, the rights of Veeam Data Mover are reduced: SSH connection is necessary only for a deployment of Veeam Data Mover to the Linux server. After Veeam Data Mover is deployed, you can disable SSH, so that backup infrastructure components use server and client certificates for authentication.

    • Deploy Veeam Backup Enterprise Manager on a server different from the Veeam Backup & Replication server to prevent a key change attack. Even if passwords are lost due to unauthorized access, you can restore lost data with the help of Enterprise Manager. For more information, see Decrypting Data Without Password.