Deploying Hardened Repository
Deploying a hardened repository is similar to setting up a Linux backup repository. The hardened repository is an exclusive role on a server with single-use credentials and with enabled Make recent backups immutable for check box.
You can configure the hardened repository to meet the requirements of Securities and Exchange Commission (SEC) Rule 17a-4(f), Financial Industry Regulatory Authority (FINRA) Rule 4511, and Commodity Futures Trading Commission (CFTC) Rule 1.31(c)-(d). For more details, see Protect against Ransomware with Immutable Backups: a Veeam Guide and Veeam Backup & Replication Compliance assessment report.
- We recommend to build a hardened repository with both single-use credentials and immutability features to maximize data security. You can still add a repository with single-use credentials but without immutability.
- We recommend to avoid mixing mutable and immutable extents within one scale-out backup repository. You can mix them only during migration scenarios when you want to make a hardened repository from an existing Linux extent.
- For importing a backup, we recommend to use VBK backup files. Metadata files of a backup chain (.VBM) cannot be immutable because they are updated on every job pass.
- We do not recommend to use the immutability feature for a Nutanix Mine infrastructure. As Mine repositories contain thin-provisioned disks, there may be the case when Veeam Backup & Replication uses full storage capacity of a repository and is not able to delete backup files from the file system.
If you want to deploy a hardened repository, perform the following steps:
- Prepare the directory on the Linux server for backups.
- Add the Linux server to the backup infrastructure.
- Add the backup repository role to the Linux server and enable the immutability feature.
If you want to use the Linux repository existing before Veeam Backup & Replication 11a (build 22.214.171.1241), you can upgrade it to the hardened repository.
Create a separate folder where immutable backups will be stored. Allow access to this folder only for the account that you plan to use to connect to the Linux server. Use the following commands:
- To create the folder:
where <folder_path> — path to the folder you are creating.
- To assign the folder's owner:
chown -R owner:group <folder_path>
Both owner and group can be the account that you plan to use to connect to the Linux server.
- To allow access to the folder only for its owner and root account:
chmod 700 <folder_path>
You can use a Linux server that is already added to a backup infrastructure. To add new server, use the New Linux Server wizard. For more information, see Adding Linux Servers.
Pay attention to the following settings at the Step 3. Specify Credentials and SSH Settings:
- Use temporary credentials to avoid storing the credentials in the Veeam Backup & Replication configuration database. To do that, click Add and select Single-use credentials for hardened repository.
- In the Credentials window, within the user account that you plan to use to connect to the Linux server select the Use "su" if "sudo" fails check box. The Elevate account privileges automatically check box is used by default. Both selected check boxes mean if the user is not in the sudoers file you can use su command instead of sudo.
After the user will have temporary root- or sudo-permissions you must remove the user from the sudo group after the server is added. Further, you can use the immutability feature with an existing repository if you have enough rights to use this repository as a user without root credentials. For more information on these check boxes, see Linux Accounts (User Name and Password).
Use the New Backup Repository wizard to add new backup repository. For more information, see Adding Backup Repositories. For the following steps:
- In the Add Backup Repository window, select the Direct Attached Storage > Linux type of the backup repository.
- At the Step 4. Configure Backup Repository Settings, select the Make recent backups immutable for check box and specify the immutability time period.
After you added the host (for single-use credentials) or the repository (for persistent credentials), disable SSH connection for the account that you plan to use to connect to the Linux server. If you can work with the server from the console, disable SSH connection for the server itself.
The corresponding Linux host should not be used twice in the database:
- If you use single-use credentials, the host where the repository resides cannot have any other role. This includes the proxy, file server, gateway server, etc.
- If you use persistent credentials, the host where the repository resides cannot have the proxy role, and the file server role is not recommended.
To upgrade the Linux repository existing before Veeam Backup & Replication 11a to the hardened repository, perform the following steps:
- Change access to the folder where immutable backups are stored. Allow access to this folder for the account that you plan to use to connect to the Linux server. Use the following command:
chown -R username:groupname <folder_path>
where <folder_path> — path to the folder.
- Edit server settings and use Single-use credentials for hardened repository at the Step 3. Specify Credentials and SSH Settings.
- Editing settings of the backup repositories and select the Make recent backups immutable for check box and specify the immutability time period at the Step 4. Configure Backup Repository Settings.