Skip to Content
ReferenceSecurity & Verification

Overview

XReplicator includes security controls for backup data in transit, at rest, and against accidental or malicious backup tampering.

Implemented controls include:

  • TLS for backup agent, backup server, and web dashboard gRPC communication
  • Optional mTLS with client certificates for agents and the web dashboard
  • Immutable retention window for restore points
  • S3 Object Lock, Azure Blob immutability, and GCS retention support
  • Checksum verification for chunks and restore manifests
  • Restore verification modes: metadata, sample, and full
  • Auto verification after backup
  • Block churn anomaly detection for ransomware-style change spikes
  • Last-known-clean restore point suggestion
  • Security audit events for restore, delete, retention, user, credential, and verification actions
  • Operation history and monitoring charts for restore verification and churn anomalies

TLS protects data in transit. Object immutability, retention, checksums, audit logging, and restore verification protect backup integrity and recovery confidence after the data has been stored.


TLS and mTLS Model

Use one private CA to sign:

  • server.crt / server.key for the backup server
  • client.crt / client.key for each backup agent
  • optionally a separate dashboard client certificate for the web UI process

The server certificate must include the DNS name or IP address that agents and the web dashboard use in server_address / BACKUP_GRPC_ADDRESS.


Generate Certificates

Use real DNS/IP values for your deployment. The example below avoids shell process substitution so it works in minimal shells and under sudo.

sudo install -d -m 755 /etc/backup/tls cd /etc/backup/tls # CA sudo openssl genrsa -out ca.key 4096 sudo openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \ -subj "/CN=XReplicator Backup CA" \ -out ca.crt # Server certificate sudo openssl genrsa -out server.key 4096 sudo openssl req -new -key server.key \ -subj "/CN=backup-server.example.com" \ -out server.csr printf "subjectAltName=DNS:backup-server.example.com,IP:192.168.5.2\nextendedKeyUsage=serverAuth\n" | sudo tee server.ext >/dev/null sudo openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -out server.crt -days 825 -sha256 \ -extfile server.ext # Client certificate for agents / dashboard sudo openssl genrsa -out client.key 4096 sudo openssl req -new -key client.key \ -subj "/CN=xreplicator-client" \ -out client.csr printf "extendedKeyUsage=clientAuth\n" | sudo tee client.ext >/dev/null sudo openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -out client.crt -days 825 -sha256 \ -extfile client.ext sudo chmod 600 /etc/backup/tls/*.key

Keep ca.key offline or on a restricted admin machine. Copy only ca.crt, client.crt, and client.key to agents and the web dashboard host.


Backup Server TLS Configuration

Edit /etc/xreplicator/server.yaml:

server: listen_addr: "0.0.0.0:50051" repository_path: "/var/lib/backup/repo" fixed_block_size_mb: 8 tls: enabled: true cert_file: "/etc/backup/tls/server.crt" key_file: "/etc/backup/tls/server.key" ca_file: "/etc/backup/tls/ca.crt" require_client_cert: true

Restart the server:

sudo systemctl restart backup-server sudo journalctl -u backup-server -f
ParameterRequiredDescription
tls.enabledYesMust be true for production server configuration.
tls.cert_fileYesServer certificate presented to agents and dashboard.
tls.key_fileYesPrivate key for tls.cert_file.
tls.ca_fileRequired for mTLSCA used to validate client certificates.
tls.require_client_certRecommendedEnables mTLS by requiring client certificates.
tls.insecure_skip_verifyNoMust remain false; do not use in production.

Agent TLS Configuration

Edit /etc/xreplicator/agent.yaml on Linux or C:\ProgramData\xreplicator\agent.yaml on Windows:

storage: type: "grpc" grpc: server_address: "backup-server.example.com:50051" timeout: 5m max_retries: 3 tls: enabled: true cert_file: "/etc/backup/tls/client.crt" key_file: "/etc/backup/tls/client.key" ca_file: "/etc/backup/tls/ca.crt" insecure_skip_verify: false

Restart the agent:

sudo systemctl restart backup-agent sudo journalctl -u backup-agent -f
ParameterRequiredDescription
storage.grpc.server_addressYesMust match the server certificate DNS/IP SAN.
storage.grpc.tls.enabledYesEnables encrypted gRPC transport.
storage.grpc.tls.ca_fileRecommendedCA used to verify the backup server certificate.
storage.grpc.tls.cert_fileRequired for mTLSClient certificate sent to the server.
storage.grpc.tls.key_fileRequired for mTLSPrivate key for cert_file.
storage.grpc.tls.insecure_skip_verifyNoMust remain false; do not bypass certificate validation.

Web Dashboard TLS Configuration

The web dashboard connects to the backup server from its server-side API routes. Set these environment variables for the web process:

export BACKUP_GRPC_ADDRESS=backup-server.example.com:50051 export BACKUP_GRPC_CA_FILE=/etc/backup/tls/ca.crt export BACKUP_GRPC_CERT_FILE=/etc/backup/tls/client.crt export BACKUP_GRPC_KEY_FILE=/etc/backup/tls/client.key

Then restart the dashboard service/process.

VariableRequiredDescription
BACKUP_GRPC_ADDRESSYesBackup server gRPC address. Must match the server certificate SAN.
BACKUP_GRPC_CA_FILERecommendedCA used by the dashboard to verify the backup server.
BACKUP_GRPC_CERT_FILERequired for mTLSDashboard client certificate.
BACKUP_GRPC_KEY_FILERequired for mTLSDashboard client private key.

If the dashboard reports unable to verify the first certificate, confirm that:

  • BACKUP_GRPC_CA_FILE points to the CA that signed server.crt
  • BACKUP_GRPC_ADDRESS uses a DNS name/IP present in the server certificate SAN
  • the web process was restarted after changing environment variables

Backup Verification Parameters

Configure restore verification in /etc/xreplicator/server.yaml:

restore_verification: verify_after_backup: true mode: "full" # metadata | sample | full max_parallel: 1 max_runtime: "2h" max_snapshots_per_run: 0 include_latest_only: true
ParameterDefaultDescription
verify_after_backupfalseRun verification automatically after each completed backup.
modefullVerification depth. See mode table below.
max_parallel1Reserved for verification worker concurrency. Keep 1 unless advised.
max_runtimeunsetOptional maximum runtime such as "2h".
max_snapshots_per_run0Maximum snapshots in one manual operation run. 0 means no explicit cap.
include_latest_onlytrueVerify only the latest restore point per host/device in operation-level runs.

Verification Modes

ModeWhat it checksExpected costBest use
metadataSnapshot manifest is readable and structurally present. Does not read chunks or resolve the full parent chain.FastestCheap post-backup signal and operational smoke check.
sampleResolves the snapshot chain and verifies a small deterministic chunk sample.MediumLightweight confidence check when full verification is too expensive.
fullResolves the snapshot chain and reads, decompresses, and checksum-verifies all logical chunks.HighestStrongest restore assurance and production proof point.

A metadata or sample result is useful, but it is not the same assurance as a full restore verification. Use full for compliance evidence, customer proof, and high-value restore points.


Ransomware-Resilience Settings

Immutable Restore Points

security: immutable_retention_window: 720h

During the immutable window, restore points cannot be modified or deleted by normal source-agent flows.

Block Churn Anomaly Detection

security: block_churn_anomaly: enabled: true high_change_percent: 80 min_history: 3
ParameterDefaultDescription
enabledtrueEnables audit alerts for unusually high changed-block percentages.
high_change_percent80Alert threshold for changed data percentage.
min_history3Minimum prior snapshots before anomaly alerts are generated.

Anomaly alerts appear in the Security Audit page and feed the last-known-clean restore point suggestion.


Object Storage Immutability

For off-site copies, enable object immutability on the storage target:

  • S3-compatible storage: Object Lock with governance or compliance mode
  • Azure Blob: immutability policy
  • Google Cloud Storage: retention policy

Use immutable buckets/containers for ransomware-resilient off-site backup copies. Match the object-lock retention to your business recovery and compliance requirements.


Operational Guidance

  • Use TLS everywhere in production.
  • Use mTLS for agents and the web dashboard when the backup server is reachable over a shared or routed network.
  • Keep CA private keys off agents and dashboard hosts.
  • Use metadata or sample for frequent low-cost checks.
  • Use full verification for critical systems and customer-facing recovery assurance.
  • Monitor churn anomaly charts and audit events after suspicious activity.
  • Keep immutable retention long enough to cover ransomware detection delay.
Last updated on