For Backups Guest OS files and indexing(and application awareness), Veeam needs Admin rights in Guest OS(Windows and Linux). In Windows a Domain Administrator account, and in Linux root access to perform this type of Backups and also Restore.
In this article we will only focus Linux root account.
Since for security reasons most companies will not provide root access to Backup tool, we can do this by creating a non root account with a Linux Private Key that will elevated to root account.
First we will create the user and the Private Key in Linux.
We will create a Private Key, but also a Passphare
for security reasons.
1. Linux Create User:
Create Private Key: ssh-keygen -C "Key for Veeam Linux user Backup" -O no-x11-forwarding -O no-port-forwarding -O no-agent-forwarding
Use a Passphare
password(if you leave blank, will not use a Passphare ) to use in the Veeam Section.
Local user to be configured:
Linux command to create local user and key:
adduser -b /var/lib/ -c "Veeam Linux user Backup" -g users -m -u 90 veeam-linux
passwd -l veeam-linux # Prevent login via password
su - veeam-linux
chmod 700 .ssh/
-> enter Public key:
ssh-rsa (public key)== Key for Veeam backup user
-> veeam-linux ALL=NOPASSWD: ALL
- user name: veeam-linux
- user id: 90
- home: /var/lib/veeam-linux
- SSH key file: /var/lib/veeam-linux/.ssh/authorized_keys
After the user is created and also the Public Key to your authorized_keys in your Linux OS, you should use the RSA_key.ppk(name that we used) file with the Private Key in Veeam.
After we test this user and add the Public Key, if is working for Linux Backup jobs, we will use Linux Puppet to spread the User vs Public Key to all our Linux VMs and all be able to use the same Key in authorized_keys.
Depending on your environment, you can also copy the corresponding Public Key to all your Linux Guests.
2. Veeam Linux user Configuration:
Next we will create new Linux credentials to use in our Backups.
Open your Veeam Backup & Replication Console and in the upper left corner we can open "Manage Credentials".
Now click add and choose to add a Linux Private Key
Next add the user and use the information from the Linux User and Private Key create in the Linux section.
Add the user create in the Linux Guest OS
: Add the Passphare used in ssh-keygen.
Use the RSA file extracted from the Linux Private Key.
Since the account will only be elevated to root(not a root account) just enable this option.
After these tasks we have a Linux user that will use a Private Key and will be elevated to root in the VMs Linux Backups.
After this we will create a job to test(Linux Backup) the Credentials and our Private Key.
In the "Guest Processing" screen we can test our User / Private Key to see if it works when we start the job.
In "Guest OS Credentials" choose the user that we have created above. Then click the option "Test Now"
As we can see in the next image, the user was able to connect to the Guest OS and have the right permissions. All tests are green.
After this we can use this user(with the Private Key) to Backup and Restore all our Linux VMs.
In this job example, we had only one VM to test this user, but if you have a job only for Linux VMs, if you choose this user will set and will use for all VMs automatically.
But in case you have some mix OS Guest jobs(like we have) you should set the user for the Linux VMs.
Just edit your Backup Job and again go to the "Guest Processing" screen. Here click in "Credentials" options.
Choose the VMs that should use the Linux User and click "Set User"
and then "Linux credentials".
Next just click "Add" and choose the Linux user.
After this all Linux VMs will use that user to Backup and Restore.
After all this you now have a Linux OS Guest user with a Private Key.
Hope this can help you how to configure this option. If you have any doubts, or need extra help, don't hesitate to contact me, or just reply to this post.
For extra information, please check Veeam Help for this subject HEREFinal Note:
Will like to thank you my Linux colleague Philipp van Huellen for helping in the part of the Linux Private Key testing and also to provide the right security configuration in the Linux side using Puppet.
Hope this help you improve your Veeam Backup Infrastructure and provide more security and spread Backup Linux user/key to all your Linux VMs.
This is the part of my "TIP Articles". So, please vote "Helpful" on this Article. And I encourage your comments and feedback.