New in Veeam v11: Hardened Repository – Immutable backups [Part 2]

New in Veeam v11: Hardened Repository – Immutable backups [Part 2]

This post is about a new feature in Veeam Backup&Replication v11: Hardened Repository. This means immutable backups. It will massively increase security on repositories. Read here how it behaves.

This post is very detailed. Therefore I split it into two part:


This section give answers to the following questions:

What happens, when…

… removing immutable restore points?
Task starts and ends up with errors. No restore point is removed.

Warning when trying to remove immutable files

… hacker changes date/time on Veeam server to remove files with next backup run?
Excellent question! But it will not work! Configured period of time is checked at Linux server, not at Veeam B&R Server!
[little detail: system time, not hwclock]
So a job running one year in the future will create new files, it cannot delete old ones.

… enabling feature at existing repository, not compatible with hardened repository?
Veeam checks if there are backup jobs configured with an incompatible backup chain. If found, error is shown:

Error with not compatible backups

… changing a backup job writing to immutable repository?
When backup chain is changed to an incompatible one, error is shown:

[Immutability repository requires configured forward
incremental with periodic full backups job settings and
without rollbacks.]

… days for immutability is higher than the number of restore points?
Restore points are kept to the end of the period, defined for immutability. Notice that there is an information message in job log:

Info that files are still immutable

… immutability turned on on repository containing restore points?
In this case immutable flag is set on all files, according immutability period.

… immutability turned off on repository containing immutable backups?
In this case, immutable flags are kept. That makes perfect sense. Otherwise a hacker with backup administrator permissions could disable hardened repository to delete backup files. Notice: new backups are not immutable after disabling the feature.

… trying to remove restore points in GUI on files with immutable flag manually removed?
Interestingly files will not be deleted! Probably because Veeam knows, files should be protected. There will be more details on that after the release of v11.

Cannot remove files even immutable flag is manually removed

… use immutable repository as target for copy job without GFS?
Backup copy jobs requires GFS when copied to immutable repository. If no GFS is set up, error appears.

[Immutability repository requires configured GFS for
backup copy job.

… trying to add a non-immutable repository on a Linux server hosting a immutable repository?

Currently mixing immutable with non-immutable repositories on the same Linux server is not supported. So you get an error:

[There is at least one another repository with enabled immutability on server. Concurrent using Linux server as immutable and mutable repository is not allowed.]

… deploy proxy role on a Linux server with hardened repository?

Does not work in v11. When hardened repository is enabled, server cannot be backup proxy. You get an error when trying:

[Specified Linux server is already used by immutable
repository repository


  • If you want to know the behavior of some other situations, leave a message I will try to test it.

14 responses to “New in Veeam v11: Hardened Repository – Immutable backups [Part 2]”

  1. bg_ranken says:

    Are there any changes to the backup copy job structure in V11 that allow them to be used for these hardened repositories. Currently the only types of jobs that allow for incremental with active/synthetic full would be normal backup job, but ideally it would make sense to allow this same type of behavior on the backup copy jobs.

    • vNote42 says:

      Backup copy jobs are always forward incremental. The reason for GFS restore points will be to be able to just delete files without changing any of them. This would be necessary if you run forward incremental without any additional fulls.

  2. subhasis says:

    Can we leverage S3 immutable storage along with the hardened local repositories for long term retention. The incremental snapshots will be persisted into hardened repo for a day or so then archive into S3 storage which is immutable for long term retention and has a storage level hard immutability.

    If yes, when you so restore , the copies will be restored from S3 or from hardened repo

  3. Tyler Pittman says:

    Hi, I’m labbing this out, and while I can see that the VBKs and VIBs are immutable and can’t be deleted by Veeam’s service account, the VBM file is not immutable, which makes sense, as it needs to be updated every time a new backup is made. The VBM file defines your backup chain though – if the VBM file is lost or encrypted, aren’t your backups toast?

    • vNote42 says:

      Hi Tyler! You are right, it makes perfect sense, VBM file is not marked as immutable.
      Don’t be afraid of your backup files, when VBM file is lost! You can still restore data from it. You can still use Veeam Extract Utility without VBM file. To get restore points back in VBR console you have to import it, rather then rescan the repository.

  4. Zed says:

    I tried with a NAS backup, but it doesn’t seem to work.
    Files can be deleted
    have you tried?

  5. Zane Allyn says:

    Hello ZED

    Easy answer. This feature uses the Extended Attributes on Linux, and these are not supported on the NFS mounted file system.

    • vNote42 says:

      Hardened Repository does not use immutable flags on source-date, instead it uses it on Linux Repository. Therefore it does not matter, if NFS is able to flag files as immutable. You can also backup Windows machines on hardened repo. They do not support this flag at all.

  6. Philipp says:

    Hi. Great post about a great feature 😉
    But how can be “monitored”, that the backup job itself was not modified by a hacker? Any idea?

    • vNote42 says:

      Great question, Philipp!
      Currently I am preparing at least one posts about this. One option is to use VeeamONE, another is to use PowerShell.

Leave a Reply

Your email address will not be published. Required fields are marked *