Veeam v11: Hardened Repository (Immutability) configuration - pt.2


To protect backups against deletion, overwriting and ransomware, a Hardened Repository must be configured in Veeam v11 to take benefit of the Immutability feature.

Making backups immutable is the most efficient way to protect your business data against intruders and ransomware attacks.


Blog Series

Veeam v11: Hardened Repository (Immutability) installation - pt.1
Veeam v11: Hardened Repository (Immutability) configuration - pt.2
Veeam v11: Hardened Repository (Immutability) add MFA - pt.3


Configure Veeam repository

Add the new Linux Server to the Veeam infrastructure. Go to Backup Infrastructure area and right click Managed Server. Select Add server.

hardened repository 1

Select Linux as server type.

hardened repository 2

Enter the DNS name or IP address then click Next.

hardened repository 3

Click Add and select Single-use credentials for hardened repository option to avoid storing the credentials in Veeam Backup & Replication.

hardened repository 4

Enter the credentials to connect the Linux Repository then click OK.

hardened repository 5

When the credentials has been specified, click Next.

hardened repository 6

Click Apply.

hardened repository 7

When the component has been installed, click Next.

hardened repository 8

The new Managed Server has been added successfully. Click Finish to exit the wizard.

hardened repository 9

Since the Veeam services have been installed, the user locveeam created in the Hardened Repository must be taken away from sudo group. These credentials are not stored in Veeam Backup & Replication Server.

# sudo deluser locveeam sudo

hardened repository 10

Since SSH is only needed when the Managed Server is created in Veeam, the SSH service can be safely disabled on Hardened Repository to enforce security.


Create the new repository

Access the Backup Repositories section and click on Add Repository button.

hardened repository 11

Select Direct attached storage.

hardened repository 12

Select Linux as operating system.

hardened repository 13

Enter a Name for the new Backup Repository then click Next.

hardened repository 14

Select the Repository server configured and click Populate. From the listed paths, select the partition configured in the Hardened Repository to store the backups. Click Next.

hardened repository 15

Double check if the Path to folder is correct and click Populate to show Capacity and Free space. Enable the following options:

  • Use fast cloning on XFS volumes (to take benefit of Fast Cloning technology)
  • Make recent backups immutable for "xx" days specifying the retention requested

Click Next.

hardened repository 16

Specify the Mount server to use then click Next.

hardened repository 17

Click Apply to continue.

hardened repository 18

When the repository has been created, click Next.

hardened repository 19

Click Finish to complete the procedure.

hardened repository 20

The new Hardened Repository has been created successfully.

hardened repository 21


Create a Backup Job

From Home area, right click Backup and select Backup > Virtual machine > VMware vSphere.

hardened repository 22

Enter the Backup Job Name and click Next.

hardened repository 23

Click Add and select the VMs to backup then click Add. In the example TAGS are used.

hardened repository 24

Click Next.

hardened repository 25

Select the Hardened Repository as Backup repository and specify the Retention Policy. Keep in mind the retention specified in the Backup Job should be higher than the Immutability retention. Click Next.

hardened repository 26

You may receive this error.

hardened repository 27

Click Advanced and check if Create synthetic full backups periodically option is enabled.

hardened repository 28

Thick Enable application-aware processing if VMs need VSS processing. Click Next.

hardened repository 29

Configure the desired Schedule then click Apply.

hardened repository 30

Select Run the job when I click Finish option and click Finish to save the Backup Job configuration.

hardened repository 31

The Backup Job has been created successfully and started.

hardened repository 32

The Backup Job is being processed.

hardened repository 33

After few minutes, the backup completes.

hardened repository 34


Test Immutability

To test the Immutability, we are going now to delete the backup.

From Backups > Disk, expand the created Backup Job and right click the backed up VM. Select Delete from disk option.

hardened repository 35

Click Yes to proceed.

hardened repository 36

As expected, the VM cannot be deleted due to the Immutability feature enabled for the specific job.

hardened repository 37


Check the Immutability on the Repository

To have a look at how Veeam works with Immutability, login to the Linux Repository and navigate to the folder of the Backup Job.

Run the following command to see the "i" attribute set to the backup files. This is the flag that makes the file immutable.

# lsattr

hardened repository 38

For a human friendly output run the same command with -l option at the end:

# lsattr -l

hardened repository 39

As you can see all backup files are set as Immutable. Only the .VBM file doesn't have this attribute since it needs to be updated by Veeam during the backup sessions.


Synthetic Full with Fast-Clone

If the XFS file system has been formatted enabling the Reflink option, during the Synthetic Full operation Veeam leverages the Fast-Clone technology optimizing space and performance.



Secure the Hardeneded Repository

Once the configuration and backup tests have been completed, the Hardened Repository must be secured to avoid unauthorized accesses:

  • Make sure locveeam user is not member of the sudo group
  • Unplug the Remote Server Management system (iDRAC, iLO, etc.) from the network
  • Disable SSH access to the repository

To disable the SSH service in Ubuntu, from the console run the following commands:

# sudo systemctl disable ssh.service
# sudo systemctl stop ssh.service

Part 3 will cover how to add MFA to SSH logins if the SSH service cannot be disabled for policy reasons.



  1. honetb 25/06/2021
    • Paolo Valsecchi 27/06/2021
    • James 17/08/2021
      • Paolo Valsecchi 18/08/2021
    • Jason Kehoe 10/08/2022
  2. Matthew Camman 12/07/2021
    • Paolo Valsecchi 13/07/2021
  3. Ian 05/08/2021
    • Paolo Valsecchi 06/08/2021
  4. Alessandro Scapin 09/09/2021
    • Paolo Valsecchi 09/09/2021
  5. Mark 01/10/2021
  6. Marius 10/12/2021
  7. Matthias Schäfer 31/01/2022
  8. Arthur 03/02/2022
    • Paolo Valsecchi 05/02/2022
  9. Roger 08/02/2022
  10. Roger 10/02/2022
    • Paolo Valsecchi 10/02/2022
  11. Werner 17/02/2022
    • Paolo Valsecchi 17/02/2022
  12. Realp 28/04/2022
  13. Realp 24/05/2022
  14. Manuel 08/09/2022
  15. Nick 13/01/2023