Overview
A Veeam Immutable Repository is a feature within Veeam Backup & Replication v11 and newer, that allows for the creation of immutable backups. Immutable backups are protected from being modified or deleted for a specified period, providing a robust defense against ransomware and accidental data loss.
Best practice Server Requirement
- Ensure the server have multiple CPUs, cores and threads. More core is better to handle the backup process.
- Ensure you have at least two Physical NIC for redundancy, and to increase the available bandwidth. 2x10GB setup is better.
- Use at least 2xSSD and 6xHDD, and create two virtual volume on the Hardware RAID configuration to separate the OS, and Backup Data as the following:
- [For the operating system] RAID 1 on SSDs with at least 100 GB disk space should be used.
- [For backup data] RAID 6/60 with write-back cache should be used. At least one disk must be configured for the drive roaming.
- Internal disk cache must be disabled.
- RAID stripe size should be 128 or 256 KB.
OS Installation
Install Ubuntu Server
For this procedure, the Linux Ubuntu distribution is used to implement the Hardened Repository. Download the latest ubuntu .ISO file Ubuntu 24.04 LTS, and boot the machine to run the installation wizard.
- On Language section, select the language to use and press Enter .
- On Keyboard section, specify the keyboard layout to use, select Done then press Enter.
- On Network Connection section, select the Create Bond option.
- Configure as the following:
- Name: team0
- Devices: at least use two interfaces
- Bond Mode: 802.3ad / LACP item from the drop-down menu, and click on Create.
- XMIT has policy: Layer2
- LACP Rate: slow
- Click Create
- Highlight team0 we just created and press Enter.
- Select Edit IPv4 and press Enter.
- Select Manual as IPv4 Method and press Enter.
- Fill in all the required IP information, then select Save and press Enter.
This requires enabling the port-channel on switch to be configured with LACP as well.
- On the proxy setting, If no Proxy is used , select Done and press Enter.
- On the Mirror Address, Leave the default value, select Done and press Enter.
- On Storage Layout section, select Custom storage layout to create a custom partition scheme. Then select Done and press Enter.
- In this example, the storage used has two volumes:
/dev/sda
for for the OS/dev/sdb
for the Backup data
- Click On
/dev/sda
, select Add GPT Partition. - Leave the Size field blank to use all available space for the partition and select Format to specify the file system. In the example, the ext4 file system was used .
- Size:
leave blank
- Format:
ext4
- Mount:
/
- Size:
- Select Create and press Enter
- Now select the second volume
/dev/sdb
and select the Add GPT Partition item.
Note the presence of the new partition type bios_grub in the partition created previously .
- Specify the Size and use xfsas Format . Create a custom Mount point such
/mnt/veeamrepo
,- Size:
leave blank
- Format:
xfs
- Mount:
/mnt/veeamrepo
- Size:
- Press Enter to confirm.
XFS with Reflink works in much the same way as ReFS to optimize performance and disk consumption (the size of synthetic copies is smaller and the process is faster). Veeam calls this technology Fast Clone .
- Once the partition scheme is complete, select Done and then press Enter.
- On the confirmation section, select Continue
- on the profile section, enter the Name , Servername , Username and Password and select Done.
- Select the Install OpenSSH Server option to enable SSH. Select Done.
- On the Featured server section, No additional features need to be installed. Select Done and press Enter to start installing the OS.
- Linux OS is installed in the system. Waiting the process to complete.
Configure the repository server.
Log in with account configured during OS installation.
Update all linux packages.
sudo apt-get update && sudo apt upgrade
Verify the file system.
Verify the file system used for the partition that Veeam will use to store backup data.
In the example, /mnt/veeamrepo
is the dedicated partition and formatted as xfs
.
df -Th
The output:
Filesystem Type Size Used Avail Use% Mounted on
/dev/sda1 ext4 300G 24G 18G 8% /
/dev/sdb1 xfs 200T 992M 200T 0.1% /mnt/veeamrepo
Create a local account
You need to create a local account with the correct permissions so that Veeam Transport Service can mount Veeam. Create the new account that will be used by Veeam and set the password.
- Create user.
sudo useradd locveeam --create-home -s /bin/bash
- Create password
sudo passwd locveeam
You need to temporarily enable the new user to run the root commands needed to install the services required by Veeam. The user must then be added to the sudo group.
sudo usermod -a -G sudo locveeam
Configure the mount point
If you want to take advantage of Fast-Clone technology (Fast Clone is based on Reflink
) to optimize space and performance during Synthetic Full operations, by default Ubuntu does not enable Reflink when the partition is formatted as XFS during the installation phase.
Veeam requires the file system to be formatted with Reflink enabled in order to take advantage of the Fast Clone feature.
Access the hardened repository and retrieve the list of disks installed in Ubuntu to identify the disk used as the repository.
sudo fdisk -l
Since the partition was mounted during the installation procedure, you need to unmount the partition first .
sudo umount /mnt/veeamrepo
Once the partition is removed, you need to format the partition with the parameters required by Veeam to take advantage of the Fast-Clone technology: reflink
and enable CRC
.
sudo mkfs.xfs -b size=4096 -m reflink=1,crc=1 /dev/sdb -f
Since the UUID
has changed due to the operation performed, you need to get the new UUID and edit the /etc/fstab
file to mount the partition automatically.
- Get the new UUID
sudo blkid /dev/sdb
Result
admin@veeam-immutable-1:/home/admin# blkid /dev/sdb
/dev/sdb: UUID="b99581e5-123d-4f85-bebc-7e256c6154f4" BLOCK_SIZE="4096" TYPE="xfs"
- Update the /etc/fstab file with the new UUID.
sudo nano /etc/fstab
- Update as the following:
# Veeam Immutable Repository mount point
/dev/disk/by-uuid/b99581e5-123d-4f85-bebc-7e256c6154f4 /mnt/veeamrepo xfs defaults 0 0
Reload the configured partitions.
sudo mount -a
Assign permissions to the mount point
- Grant access permissions to the
/mnt/veeamrepo
directory to thelocveeam
user using the following commands:
sudo chown -R locveeam:locveeam /mnt/veeamrepo/
sudo chmod 700 /mnt/veeamrepo
- Check the permissions assigned.
ll /mnt
Result:
drwx------ 2 locveeam locveeam repo-a/
Configure Veeam with Immutable Repository.
Add Immutable Repository to Veeam
- Add the new Linux Server to the Veeam infrastructure. Go to Backup Infrastructure area and right click Managed Server. - Select Add server.
- Select Linux as server type.
- Enter the DNS name or IP address then click Next.
- Click Add and select
Single-use credentials for hardened repository
option to avoid storing the credentials in Veeam Backup & Replication. - Enter the credentials to connect the Linux Repository then click OK.
- When the credentials has been specified, click Next.
- Click Apply.
- When the component has been installed, click Next.
- The new Managed Server has been added successfully. Click Finish to exit the wizard.
Since the Veeam services have been installed, the user
locveeam
created in the Hardened Repository must be taken away fromsudo
group. These credentials are not stored in Veeam Backup & Replication Server.
- Back to the linux box, and remove the
locveeam
fromsudo
group.
sudo deluser locveeam sudo
Create the new repository
- Access the Backup Repositories section and click on Add Repository button.
- Select Direct attached storage.
- Select Linux (Hardened Repository) as operating system.
- Enter a Name for the new Backup Repository then click Next.
- Select the Repository server configured and click Populate. From the listed paths, select the partition configured in the Hardened Repository to store the backups. Click Next.
- Double check if the Path to folder is correct and click Populate to show Capacity and Free space. Enable the following options:
- Use fast cloning on XFS volumes (to take benefit of Fast Cloning technology).
- Make recent backups immutable for “x” days specifying the retention requested.
- Click Next.
- Specify the Mount server to use then click Next.
- Click Apply to continue.
- When the repository has been created, click Next.
- Click Finish to complete the procedure.
- The new Hardened Repository has been created successfully.
Hardening the Immutable backup Repository server.
To better protect your backup data, you should follow these guidelines to strengthen security:
- Use Single-use credentials for hardened repository option during installation to avoid saving credentials in Veeam Backup & Replication.
- Allow SSH connection for only certain IPs, or disable the password, and use SSH key instead. Don’t store the private key on the Veeam B&R server, to avoid malicious actors get the access to the immutable backup repo server.
Follow this guidance to setup the SSH key.
- iDRAC, iLO or other remote management solutions should be separated on different vlan network, and only accessible by certains devices only for hardening.
- The time should be synchronized with a reliable NTP Server to avoid time changes by a potential attacker. Time changes may alter Immutability retention.
Conclusion
Veeam’s Immutable Repository feature is a powerful tool for enhancing data protection strategies. It provides critical defenses against ransomware and other threats by ensuring backup files cannot be tampered with or deleted during the defined retention period. By integrating seamlessly into existing Veeam Backup & Replication workflows, it offers a straightforward yet highly effective solution for securing backup data.