Standalone backup agents for Linux, Mac, AIX & Solaris workloads on-premises or in the public cloud
Post Reply
phishpin
Lurker
Posts: 1
Liked: never
Joined: May 03, 2017 6:28 pm
Contact:

in-flight encryption for Veeam Agent for Linux backups?

Post by phishpin »

Does anybody have any ideas on ways to provide in-flight encryption for Veeam Agent for Linux backups? That is, how do I encrypt the NFS or SMB traffic? (If B&R can encrypt in-flight, I'd like to know, but I currently can't afford the license, so I need an NFS or SMB solution.)

I cannot use Kerberized NFS4, so haven't even tried.

Things I've already considered:

Mount SSHFS with a pre-job script and configure Veeam to use that as a "local" repository. I don't like this, because if the SSHFS mounting fails, the path will be on a filesystem I'm trying to back up. Dunno how Veeam might handle that. I can mark the directory immutable to prevent it from being able to write if SSHFS is not mounted, but that just feels janky.

Use SSH port forwarding to tunnel NFS. This lets me use an NFS repository, so I avoid the problem of Veeam trying to do a backup if the target is not actually available. But this feels really janky. And this and SSHFS would require keeping track of SSH keys and is more hassle than I want to commit to.

Use Samba with "smb encrypt = mandatory" for the share. This doesn't seem to work at all. I get access denied messages in my logs, where without that config line, it mounts and backs up just fine. Apparently mount.cifs didn't support encrypted shares until kernel 4.11 [1], which came out Monday!

Alternatively (and preferred), does anybody know if the Veeam agent is going to support native encryption in the client? How is that missing?

[1] https://lists.samba.org/archive/samba/2 ... 07530.html
PTide
Product Manager
Posts: 6408
Liked: 724 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: in-flight encryption for Veeam Agent for Linux backups?

Post by PTide »

Hi,
If B&R can encrypt in-flight, I'd like to know, but I currently can't afford the license, so I need an NFS or SMB solution.)
Currently we encrypt disks data that is transmitted between source (VAL) and target (VBR repository) datamovers. Also I'd like to remind you that you don't need a full-blown VBR license to be able to send backups to VBR repository, just install agent license on VBR instead, and select "Encryption" in the "Storage" tab in repository setting.
Dunno how Veeam might handle that
Being unable to write data to the destination the backup job will fail.

Native backup encryption will be added later this year.

Thanks.
Post Reply

Who is online

Users browsing this forum: No registered users and 10 guests