Overview

A Veeam Immutable Repository is a feature within Veeam Backup & Replication v11 and newer, that allows for the creation of immutable backups. Immutable backups are protected from being modified or deleted for a specified period, providing a robust defense against ransomware and accidental data loss.

Image alt

Best practice Server Requirement

  • Ensure the server have multiple CPUs, cores and threads. More core is better to handle the backup process.
  • Ensure you have at least two Physical NIC for redundancy, and to increase the available bandwidth. 2x10GB setup is better.
  • Use at least 2xSSD and 6xHDD, and create two virtual volume on the Hardware RAID configuration to separate the OS, and Backup Data as the following:
    • [For the operating system] RAID 1 on SSDs with at least 100 GB disk space should be used.
    • [For backup data] RAID 6/60 with write-back cache should be used. At least one disk must be configured for the drive roaming.
    • Internal disk cache must be disabled.
    • RAID stripe size should be 128 or 256 KB.

OS Installation

Install Ubuntu Server

For this procedure, the Linux Ubuntu distribution is used to implement the Hardened Repository. Download the latest ubuntu .ISO file Ubuntu 24.04 LTS, and boot the machine to run the installation wizard.

  • On Language section, select the language to use and press Enter .
  • On Keyboard section, specify the keyboard layout to use, select Done then press Enter.
  • On Network Connection section, select the Create Bond option.
  • Configure as the following:
    • Name: team0
    • Devices: at least use two interfaces
    • Bond Mode: 802.3ad / LACP item from the drop-down menu, and click on Create.
    • XMIT has policy: Layer2
    • LACP Rate: slow
  • Click Create
  • Highlight team0 we just created and press Enter.
  • Select Edit IPv4 and press Enter.
  • Select Manual as IPv4 Method and press Enter.
  • Fill in all the required IP information, then select Save and press Enter.

This requires enabling the port-channel on switch to be configured with LACP as well.

  • On the proxy setting, If no Proxy is used , select Done and press Enter.
  • On the Mirror Address, Leave the default value, select Done and press Enter.
  • On Storage Layout section, select Custom storage layout to create a custom partition scheme. Then select Done and press Enter.
  • In this example, the storage used has two volumes:
    • /dev/sda for for the OS
    • /dev/sdb for the Backup data
  • Click On /dev/sda, select Add GPT Partition.
  • Leave the Size field blank to use all available space for the partition and select Format to specify the file system. In the example, the ext4 file system was used .
    • Size: leave blank
    • Format: ext4
    • Mount: /
  • Select Create and press Enter
  • Now select the second volume /dev/sdb and select the Add GPT Partition item.

Note the presence of the new partition type bios_grub in the partition created previously .

  • Specify the Size and use xfsas Format . Create a custom Mount point such /mnt/veeamrepo,
    • Size: leave blank
    • Format: xfs
    • Mount: /mnt/veeamrepo
  • Press Enter to confirm.

XFS with Reflink works in much the same way as ReFS to optimize performance and disk consumption (the size of synthetic copies is smaller and the process is faster). Veeam calls this technology Fast Clone .

  • Once the partition scheme is complete, select Done and then press Enter.
  • On the confirmation section, select Continue
  • on the profile section, enter the Name , Servername , Username and Password and select Done.
  • Select the Install OpenSSH Server option to enable SSH. Select Done.
  • On the Featured server section, No additional features need to be installed. Select Done and press Enter to start installing the OS.
  • Linux OS is installed in the system. Waiting the process to complete.

Configure the repository server.

Log in with account configured during OS installation.

Update all linux packages.

sudo apt-get update && sudo apt upgrade

Verify the file system.

Verify the file system used for the partition that Veeam will use to store backup data. In the example, /mnt/veeamrepo is the dedicated partition and formatted as xfs.

df -Th

The output:

Filesystem     Type   Size  Used  Avail  Use%  Mounted on
/dev/sda1      ext4   300G  24G   18G    8%    /
/dev/sdb1      xfs    200T  992M  200T   0.1%  /mnt/veeamrepo

Create a local account

You need to create a local account with the correct permissions so that Veeam Transport Service can mount Veeam. Create the new account that will be used by Veeam and set the password.

  • Create user.
sudo useradd locveeam --create-home -s /bin/bash
  • Create password
sudo passwd locveeam

You need to temporarily enable the new user to run the root commands needed to install the services required by Veeam. The user must then be added to the sudo group.

sudo usermod -a -G sudo locveeam

Configure the mount point

If you want to take advantage of Fast-Clone technology (Fast Clone is based on Reflink) to optimize space and performance during Synthetic Full operations, by default Ubuntu does not enable Reflink when the partition is formatted as XFS during the installation phase. Veeam requires the file system to be formatted with Reflink enabled in order to take advantage of the Fast Clone feature.

Access the hardened repository and retrieve the list of disks installed in Ubuntu to identify the disk used as the repository.

sudo fdisk -l

Since the partition was mounted during the installation procedure, you need to unmount the partition first .

sudo umount /mnt/veeamrepo

Once the partition is removed, you need to format the partition with the parameters required by Veeam to take advantage of the Fast-Clone technology: reflink and enable CRC.

sudo mkfs.xfs -b size=4096 -m reflink=1,crc=1 /dev/sdb -f

Since the UUID has changed due to the operation performed, you need to get the new UUID and edit the /etc/fstab file to mount the partition automatically.

  • Get the new UUID
sudo blkid /dev/sdb

Result

admin@veeam-immutable-1:/home/admin# blkid /dev/sdb
/dev/sdb: UUID="b99581e5-123d-4f85-bebc-7e256c6154f4" BLOCK_SIZE="4096" TYPE="xfs"
  • Update the /etc/fstab file with the new UUID.
sudo nano /etc/fstab
  • Update as the following:
# Veeam Immutable Repository mount point
/dev/disk/by-uuid/b99581e5-123d-4f85-bebc-7e256c6154f4 /mnt/veeamrepo xfs defaults 0 0

Reload the configured partitions.

sudo mount -a

Assign permissions to the mount point

  • Grant access permissions to the /mnt/veeamrepo directory to the locveeam user using the following commands:
sudo chown -R locveeam:locveeam /mnt/veeamrepo/
sudo chmod 700 /mnt/veeamrepo
  • Check the permissions assigned.
ll /mnt

Result:

drwx------  2 locveeam locveeam repo-a/

Configure Veeam with Immutable Repository.

Add Immutable Repository to Veeam

  • Add the new Linux Server to the Veeam infrastructure. Go to Backup Infrastructure area and right click Managed Server. - Select Add server.
  • Select Linux as server type.
  • Enter the DNS name or IP address then click Next.
  • Click Add and select Single-use credentials for hardened repository option to avoid storing the credentials in Veeam Backup & Replication.
  • Enter the credentials to connect the Linux Repository then click OK.
  • When the credentials has been specified, click Next.
  • Click Apply.
  • When the component has been installed, click Next.
  • The new Managed Server has been added successfully. Click Finish to exit the wizard.

Since the Veeam services have been installed, the user locveeam created in the Hardened Repository must be taken away from sudo group. These credentials are not stored in Veeam Backup & Replication Server.

  • Back to the linux box, and remove the locveeamfrom sudo group.
sudo deluser locveeam sudo

Create the new repository

  • Access the Backup Repositories section and click on Add Repository button.
  • Select Direct attached storage.
  • Select Linux (Hardened Repository) as operating system.
  • Enter a Name for the new Backup Repository then click Next.
  • Select the Repository server configured and click Populate. From the listed paths, select the partition configured in the Hardened Repository to store the backups. Click Next.
  • Double check if the Path to folder is correct and click Populate to show Capacity and Free space. Enable the following options:
    • Use fast cloning on XFS volumes (to take benefit of Fast Cloning technology).
    • Make recent backups immutable for “x” days specifying the retention requested.
  • Click Next.
  • Specify the Mount server to use then click Next.
  • Click Apply to continue.
  • When the repository has been created, click Next.
  • Click Finish to complete the procedure.
  • The new Hardened Repository has been created successfully.

Hardening the Immutable backup Repository server.

To better protect your backup data, you should follow these guidelines to strengthen security:

  • Use Single-use credentials for hardened repository option during installation to avoid saving credentials in Veeam Backup & Replication.
  • Allow SSH connection for only certain IPs, or disable the password, and use SSH key instead. Don’t store the private key on the Veeam B&R server, to avoid malicious actors get the access to the immutable backup repo server.

Follow this guidance to setup the SSH key.

  • iDRAC, iLO or other remote management solutions should be separated on different vlan network, and only accessible by certains devices only for hardening.
  • The time should be synchronized with a reliable NTP Server to avoid time changes by a potential attacker. Time changes may alter Immutability retention.

Conclusion

Veeam’s Immutable Repository feature is a powerful tool for enhancing data protection strategies. It provides critical defenses against ransomware and other threats by ensuring backup files cannot be tampered with or deleted during the defined retention period. By integrating seamlessly into existing Veeam Backup & Replication workflows, it offers a straightforward yet highly effective solution for securing backup data.