Hardened Immutable Repository

In this article

    Veeam Backup & Replication allows you to make a hardened immutable repository using a Linux server. A hardened immutable repository protects your backup files from loss as a result of malware activity or unplanned actions with the help of the following features:

    • Single-use credentials: credentials that are used only once to add the Linux server to the backup infrastructure. These credentials are not stored in the Veeam Backup & Replication configurations database, so that backups files will be safe even if the Veeam Backup & Replication server is compromised.
    • Backup immutability: when you add a Linux repository, you can make backup files immutable for the specified time period by selecting the Make recent backups immutable for check box. During this period, backup files stored in this repository cannot be modified or deleted.

    Depending on the combination of these features, there are several types of Linux backup repositories that you can build:

    • Standard Linux Repository: a repository added with persistent credentials and the backup immutability is disabled. For more information about a standard Linux backup repository, see Linux Server.
    • Hardened Repository: a repository added with single-use credentials and the backup immutability is disabled.
    • Immutable Repository: a repository added with persistent credentials and the backup immutability is enabled.
    • Hardened Immutable Repository: a repository added with single-use credentials and the backup immutability is enabled.

    Tip

    The Hardened Immutable Repository type is recommended to maximize the data security, so this repository type is used further in the User Guide.

    See in this section:

    How Backup Immutability Works

    After you deploy a hardened immutable repository:

    1. The veeamimmureposvc service creates .veeam.N.lock file with the information about immutability time period of each backup file in the active chain. Files .veeam.N.lock are stored on the Linux host.
    2. Backup files become immutable for the configured time period (minimum 7 days, maximum — 9999). The immutability period is extended only for the active backup chain. If there are several chains in the backup, than Veeam Backup & Replication does not extend the immutability for old backups in the chain.
    3. After the time period expiration, the veeamimmureposvc service makes backup files non-immutable again so they can be deleted or modified.

    The count of the immutability period indicated in the backup repository settings starts from the moment the last restore point in the active chain is created. For example:

    Supported Job Types

    A hardened immutable repository supports backup files created with the following types of jobs:

    Important

    You can store backup files and backup copy files of NAS backup jobs, transaction log backup jobs, RMAN/SAP HANA/SAP on Oracle backups jobs in a hardened immutable repository, but these files will not be immutable.