Change Expiration date of immutable restore points (in v11 and v11a)


Userlevel 7
Badge +6
  • Veeam Legend, Veeam Vanguard
  • 771 comments

Another post about my favorite feature in v11: Hardened Repository. This time it is about the ability to change the expiration date of already immutable restore points. Veeam made this possible by using PowerShell. The corresponding command is: Set-VBRImmutabilityLockExpirationDate. This post is about how to use it.

Select the restore point you want to change immutability expiration date. To show all restore points of a specific VM in a job you can run for example:
Get-VBRRestorePoint -Backup immu_job_01 -Name VM02

Here backup job name is Immu_Job_01 and VM is called VM02. I will change the date for the first - the oldest - restore point in the list. To work with it I save it in $RestorePoint:

$RestorePoint = (Get-VBRRestorePoint -Backup immu_job_01 -Name VM02)[0]

Show the current expiration date by running this command: $RestorePoint.getstorage().ImmutableTillUtc  
 

We see, current ImmutableTilldate is 1st October 2021. In my example I change the date to the end of 2030:

$ExpDate = Get-Date -Year 2030 -Month 12 -Day 31

Set-VBRImmutabilityLockExpirationDate -RestorePoint $RestorePoint -ExpirationDate $ExpDate  
 

 

Really simple, isn't it? When you are happy with it you can stop reading. If you now ask yourself whether this does destroy the entire immutability, read on.

What happens when the bad guy runs this command. For example:

Set-VBRImmutabilityLockExpirationDate -RestorePoint $RestorePoint -ExpirationDate $(Get-Date)

Good news: the guy will see this:

Okay, does not work! One reason for this: in v11 it is not possible to shorten the immutability period of a restore point. But: this is possible in v11a! It is still not possible to set any date before the current set. But you can reset to original date:

Set-VBRImmutabilityLockExpirationDate -RestorePoint $RestorePoint -ToOriginal  

(Note: I changed restore point [1] after the update to v11a)

If original date already passed, it will be reset to current date + immutable period of repository. So, to shorten the period changed before, go to original date and change to new desired date.

[update] Important: Currently it is not possible to reset the date to the original if it has been extended prior to v11a!

See my blog post for more details! It includes some details of description file on Linux.

 


10 comments

Userlevel 7
Badge +5

This is such a cool feature, it definitely carries some risk if people are careless with their original configurations, but I just think it’s awesome that you could do temporary “legal holds” with this if necessary.

Userlevel 7
Badge +5

Great post.  I love this feature and we are starting to use it more and more.

Userlevel 7
Badge +4

Great function.

My first thought was, what if you select a date prior of the set expiration date…. Glad that this is not a security hole 😎

Userlevel 7
Badge +6

Great post.  I love this feature and we are starting to use it more and more.

Thanks! This feature is not only my favorite, it also is very popular with customers :smiley:

Userlevel 7
Badge

Great post @vNote42 !

Userlevel 7
Badge +6

Great function.

My first thought was, what if you select a date prior of the set expiration date…. Glad that this is not a security hole 😎

Yes, Security in Hardened Repo is absolutely consistent!

Userlevel 7
Badge +2

Awesome! Thank you for sharing @vNote42 

Userlevel 7
Badge +6

Great post @vNote42 !

Thanks @marcofabbri !

Userlevel 7
Badge +3

Nice post @vNote42! It is good to see the updates of v11a getting on work!

Userlevel 7
Badge +6

Added important information to the end of the post:

[update] Important: Currently it is not possible to reset the date to the original if it has been extended prior to v11a!

And a link to my current post about this topic with more detailed information.

Comment