Veeam · Infrastruttura · YoctoIT tech page

Hardened Repository

The immutable Linux repository: the backup ransomware can't encrypt nor delete — not even with the right credentials.

FOCUS · THE UNTOUCHABLE COPYXFS immutability and zero access: the safe inside your data center
YoctoIT material for clients and partners · Veeam, Kasten, Coveware and the other products mentioned are trademarks of Veeam Software.
01 · What it is

Hardened Repository, made clear.

Modern ransomware hunts the backups BEFORE encrypting production. The Hardened Repository is the answer: a Linux server with filesystem-level immutability (XFS) — for the set period, the backups can't be touched: not by the attacker, not by a compromised administrator, not by Veeam itself. From v13, also a ready appliance.

Immutabile
the XFS flag: the backup file untouchable until expiry
No-root
no permanent credentials: the access that can't be stolen
93%
of the attacks hits the backups: this is the countermove
Hardened Repository
OFFICIAL VEEAM BRANDING · HARDENED REPOSITORY
CONSOLE REALE · HARDENED REPOSITORY (IMMUTABILITA) · FONTE: VEEAM
REAL CONSOLE · HARDENED REPOSITORY (IMMUTABILITY) · SOURCE: VEEAM
02 · How to use it well

The things that make the difference.

The safe

The production backupsthe copies that count
XFS immutability
Single-use access
Compliance clock
armored · keyless · timed
Hardened Linux (or the v13 appliance)the hardened base
Inside your perimeterthe safe at home
The backup that can't be betrayed

Textbook hardening

DISA STIG, minimal services, MFA on the console: the repository hardened for real, not halfway.

Thought-out retention

Immutability tuned on risk and capacity: long enough to cover the sleeping attack.

Network isolation

A dedicated segment and minimal flows: the safe doesn't chat with the rest of the network.

Tampering tests

We try to delete (without succeeding): the verification that the immutability is real.

03 · In depth

Linux immutability: how it armors the copies

The Hardened Repository is a Linux server (also the preconfigured Veeam ISO) with XFS and the immutable flag: the backups can't be deleted nor encrypted for the set period, the credentials are single-use (not saved), SSH switches off after the deploy, the single-use-credentials compliance prevents a compromised domain from reaching the copies; with XFS block cloning the synthetic fulls stay instant; it's the '1 offline/immutable' piece of the 3-2-1-1-0.

  • Flag immutable — the filesystem that refuses deletion: not even root during the period
  • Credenziali monouso — not persisted in VBR: the breached domain doesn't reach here
  • ISO hardened — the deploy already armored: DISA STIGs applied from the factory
  • XFS block cloning — immutable AND fast: the synthetic fulls without a physical copy
  • SSH off — the surface reduced to a minimum after the setup
  • Compliance mode — the timer nobody shortens: the guarantee for the auditors
04 · Numbers and lifecycle

The numbers that matter.

0
deletions possible during the lock period
7-30
the typical days of operational immutability
x86
any hardware: the armor is software
NIS2
the protected-copies requirement: covered
The last line of defense must be built well: hardened repo, segregated network and restore tests — the ransomware finds the wall.
05 · Use cases

Where it really pays off.

Anti-ransomware

The last line that holds when everything falls.

Compliance NIS2

The immutable copy required, with evidence.

Insider threat

Not even the unfaithful admin deletes the history.

The copy nobody can touch is the one that saves you: we build it by the book — all of it.