I’ve been lucky enough to spend some time testing Veeam’s v13 beta appliance (Before it was released this week) But it’s not just the new features in Backup & Replication that I’ve been working with—it’s their brand-new hardened Linux-based appliances.
This release combines a modern design with a security-first approach. Sure, Veeam has updated the console again (for those who remember the v10 refresh), and while the visuals are pleasant, there is also the introduction of a web interface. (Yes, think along the lines of VMware vCenter.)
The real story—and why I’m writing this post—is that v13 now runs on hardened Linux appliances. This shows exactly where Veeam is heading: tighter security, simplified deployment, and stronger protection across all environments.
Honestly, I think it’s about time.
- The Security and compliance check was nice.
- The PowerShell hardening script (implementing some of those recommendations) was even better.
- The Veeam Hardened Linux Repository was a big step forward—though upgrades were painful, If not impossible.
- Now with hardened Linux appliances? Much, much better.
Here are some of the key highlights that stood out during testing:
1. JeOS on Rocky Linux 9.x
Veeam is delivering a “Just Enough OS” (JeOS) appliance, built on Rocky Linux 9.x. By stripping out unnecessary components, the attack surface is minimized. You can deploy it as either an ISO or OVA, making it flexible for physical and virtual environments.
That said, I do question why the ISO exists for physical environments given some architectural limitations—but hey, flexibility is nice I suppose.
My only frustration is that you still need to deploy a VM for infrastructure roles (e.g., proxy and mount servers). Veeam already has access to the environment—why not provision directly from the management console on demand, like Azure workers? Fewer OS instances means fewer resources and a smaller security footprint.
2. Default Security Hardening
From day one, the appliance ships with SELinux in enforcing mode, SSH disabled, and all non-essential services turned off.
This means less chance of someone deploying a poorly secured Veeam server—or worse, not hardening it at all. No more relying on PowerShell scripts or hoping admins follow best practices.
3. Managed, Centralized Updates
Here’s where I’m a bit torn. Veeam now controls OS and component updates via its own repositories, guaranteeing compatibility and timely patching.
I personally like controlling when and how updates happen (You know ensure you don’t get the early bugs)—but for customers who never patch their systems (and believe me, there are plenty), this is fantastic.
Also, because it’s Linux, there are no more endless Windows Update reboots. For MSPs and providers like me, that means quicker, less disruptive maintenance, and fewer awkward conversations about why last night’s backup failed during a patch cycle.
This is overdue—and will be very welcome for most admins.
4. Mandatory MFA for Key Accounts
During initial configuration, MFA is mandatory for the veeamadmin and veeamso accounts (More about the veeamso account below). This is a strong move toward a zero-trust model.
Best part MFA isn’t just for the web and application consoles—it also applies to the OS console itself. That’s a serious barrier against unauthorized access.
Worst part? If your environment has time sync issues, you could run into problems. I’ll write about that separately another day.
5. Security Officer Role
During setup, you can create a dedicated Security Officer (veeamso) account. This role is responsible for approving sensitive actions, adding another layer of protection.
If you skip this, Veeam warns you strongly.
For MSPs like me, or for environments with shared credential managers, this could be bypassed if all admins share accounts. But with good practices and separate credential stores, this becomes a powerful safeguard to ensure backup infrastructure security is maintained.
6. High Availability (HA) for Uninterrupted Protection
Okay, this isn’t a “security feature” per se, but I’ve waited a long time for this feature.
With v13, HA finally arrives for the backup appliance via node clustering, PostgreSQL replication. That means automatic failovers, boosting both availability and resilience.
For providers delivering DRaaS and IaaS—basically anyone expected to be running 24/7—this is a game-changer. It’s the piece we’ve been missing to deliver proper enterprise-grade DR.
Now we just need to see how we can use it alongside VeeamONE and Veeam Recovery Orchestrator.
Final Thoughts
NThe new hardened Linux appliances in v13 are a huge leap forward. From JeOS to MFA, from enforced hardening to centralized updates, Veeam is really putting security at the center of its architecture—while also making life easier for providers and admins.
Sure, there are things I’d like to see evolve (direct console-based provisioning, more HA integrations, etc.), but this release is a step forward that sets a strong foundation for the future.