Change Expiration date of restore points in Veeam Hardened Repository (v11 and v11a)

Change Expiration date of restore points in Veeam Hardened Repository (v11 and v11a)

This post is about a feature of the Veeam Hardened Repository. It is about the ability to extend the immutable time of existing restore points. Veeam made this possible by using PowerShell. See here how to change expiration date of restore points in Veeam Hardened Repository and what’s new in v11a.

Extend expiration date

To extend expiration date the PowerShell cmdlet Set-VBRImmutabilityLockExpirationDate is used. First select the restore point(s) you want to change immutability expiration date. To show all restore points of a specific VM in a job you can run for example:

Get-VBRRestorePoint -Backup immu_job_01 -Name VM02

Here backup job name is Immu_Job_01 and VM is called VM02. I will change the date for the first – the oldest – restore point in the list. To work with it I save it in $RestorePoint:

$RestorePoint = (Get-VBRRestorePoint -Backup immu_job_01 -Name VM02)[0]

Show the current expiration date by running this command: 

$RestorePoint.getstorage().ImmutableTillUtc

We see, current ImmutableTilldate is 1st October 2021. In my example I change the date to the end of 2030:

$ExpDate = Get-Date -Year 2030 -Month 12 -Day 31
Set-VBRImmutabilityLockExpirationDate -RestorePoint $RestorePoint -ExpirationDate $ExpDate

Really simple, isn’t it? When you are happy with it you can stop reading. If you ask yourself whether this does destroy the entire immutability, read on.

What happens when the bad guy tries to shorten immutable period. For example:

Set-VBRImmutabilityLockExpirationDate -RestorePoint $RestorePoint -ExpirationDate $(Get-Date)

Good news: the guy will see this:

Okay, does not work!

Shorten expiration date

In v11 it is not possible to shorten the immutability period of a restore point. But: this is possible in v11a! It is still not possible to set any date before the actual one. But you can reset to original date:

Set-VBRImmutabilityLockExpirationDate -RestorePoint $RestorePoint -ToOriginal

(Note: I changed restore point [1] after the update to v11a)

Important: Currently it is not possible to reset the date to the original if it has been extended prior to v11a!

Important: If original date already passed, it will be reset to current date + immutable period of repository. So, to shorten the period changed before, go to original date and change to new desired date.

Some more details

Veeam saves immutability information of restore points in two locations on the repository server. First in a .lock file in the directory of the restore points. This file is in XML format. Second, as file attribute of each backup file. You can show this information by running linux command getfattr -d filename. Fileattribute is called user.immutable.until and looks like this:

When extending immutable time, .lock file gets changed. With v11a a new tag was introduced: <ExtendedImmutableTillUtc>. When immutable time is extended, .lock file looks like this:

<File Name="VM02.vm-6058D2021-09-11T220637_E65E.vbk" ImmutableTillUtc="2021-10-08 21:56:39" Finalized="true">
	<ExtendedImmutableTillUtc>
		<ExtendedImmutableTillUtcWithOib OibId="68a71f90-b06d-4259-b4b0-71bf4dcef563" ExtendedImmutableTillUtc="2099-12-30 23:46:00" />
	</ExtendedImmutableTillUtc>
</File>

When date never was changed respectively reset to original, file is described like this:

<File Name="VM02.vm-6058D2021-09-11T220637_E65E.vbk" ImmutableTillUtc="2021-10-08 21:56:39" Finalized="true" />

Notes

Leave a Reply

Your email address will not be published. Required fields are marked *