Hardened Immutable Repository
Veeam Backup & Replication allows you to make a hardened immutable repository using a Linux server. A hardened immutable repository protects your backup files from loss as a result of malware activity or unplanned actions with the help of the following features:
- Single-use credentials: credentials that are used only once to add the Linux server to the backup infrastructure. These credentials are not stored in the Veeam Backup & Replication configurations database, so that backups files will be safe even if the Veeam Backup & Replication server is compromised.
- Backup immutability: when you add a Linux repository, you can make backup files immutable for the specified time period by selecting the Make recent backups immutable for check box. During this period, backup files stored in this repository cannot be modified or deleted.
Depending on the combination of these features, there are several types of Linux backup repositories that you can build:
- Standard Linux Repository: a repository added with persistent credentials and the backup immutability is disabled. For more information about a standard Linux backup repository, see Linux Server.
- Hardened Repository: a repository added with single-use credentials and the backup immutability is disabled.
- Immutable Repository: a repository added with persistent credentials and the backup immutability is enabled.
- Hardened Immutable Repository: a repository added with single-use credentials and the backup immutability is enabled.
The Hardened Immutable Repository type is recommended to maximize the data security, so this repository type is used further in the User Guide.
See in this section:
- How Backup Immutability Works
- Supported Job Types
- Limitations and Considerations
- Deploying Hardened Immutable Repository
After you deploy a hardened immutable repository:
- The veeamimmureposvc service creates .veeam.N.lock file with the information about immutability time period of each backup file in the active chain. Files .veeam.N.lock are stored on the Linux host.
- Backup files become immutable for the configured time period (minimum 7 days, maximum — 9999). The immutability period is extended only for the active backup chain. If there are several chains in the backup, than Veeam Backup & Replication does not extend the immutability for old backups in the chain.
- After the time period expiration, the veeamimmureposvc service makes backup files non-immutable again so they can be deleted or modified.
The count of the immutability period indicated in the backup repository settings starts from the moment the last restore point in the active chain is created. For example:
- The full backup file of the active backup chain was created on January 12. The first increment was created on January 13. The second and last increment was created on January 14.
- The immutability period indicated at the backup repository settings is 10 days.
- The backup files will be immutable until January 24: the date of the last restore point creation (January 14) + 10 days.
A hardened immutable repository supports backup files created with the following types of jobs:
- VMware, Hyper-V VM backup jobs and backup copy jobs created by Veeam Backup & Replication
- Backup copy jobs created by Veeam Backup for Azure, Veeam Backup for AWS and Veeam Backup for Google Cloud Platform
- Physical machines backup jobs created by Veeam Agents (Windows, Linux, MAC, AIX, Solaris)
- vCD VM backup jobs
- VeeamZIP backup jobs
- Nutanix AHV VM backup jobs created by Veeam Backup for Nutanix AHV
You can store backup files and backup copy files of NAS backup jobs, transaction log backup jobs, RMAN/SAP HANA/SAP on Oracle backups jobs in a hardened immutable repository, but these files will not be immutable.