Create Secure FTPS server for VMware VCSA 6.5 Backups
We have covered in detail how to in general provision an FTP server using FileZilla for the purposes of targeting for our VCSA 6.5 backups. However, to take this a step further, what if you want to secure the backup of your VCSA 6.5 appliance by using a secure FTP process? To do that, we can still use FileZilla and create secure FTPS server for VMware VCSA 6.5 Backups so our backups from the VCSA appliance are secure “in flight” as they go across the wire. Let’s see how to implement this configuration on our FileZilla server.
Secure FTPS and not SFTP
Update 10.30.2017 – Please note here we are describing creating a “secure” FTPS server which is a different technology than SFTP or “Secure File Transfer Protocol” as pointed out by @JonKensy. A great description as noted by @paulbraren is found here. At this time, VMware VCSA backups do not support SFTP and only support FTPS. SFTP definitely has advantages when it comes to the network ports that are used for communication as mentioned in the linked post. Hopefully this may appear as an option in a future VCSA release.
Create Secure FTPS server for VMware VCSA 6.5 Backups
The process is very similar to simply creating an FTP server. Actually, we only need a couple of additional steps including creating a certificate on our FileZilla server and disable plain unencrypted FTP. To setup the certificate in FileZilla, we go to Edit >> Settings
We have several areas of interest on the FTP over TLS settings configuration screen. Notice the Enable FTP over TLS support (FTPS) checkbox as well as the Generate new certificate… button.
Once we check the Enable FTP over TLS support (FTPS) checkbox enabled, we can check the box to Disallow plain unencrypted FTP as well which is what we want to do to make things more secure.
When we click the Generate new certificate button, we are prompted with the familiar certificate information to be filled out. When we click the Generate certificate button, the certificate is generated for the FTPS connection.
We will get a pop up box “Certificate generated successfully”.
Our screen should look like the following with the certificate in place and we are disallowing plain unencrypted FTP communication.
Backing up VMware VCSA 6.5 with FTPS
Now we can login to our VMware VCSA 6.5 VAMI interface and begin the backup process. Now we can select the FTPS option. Point the connection to your FTPS server that was just setup, port 21, and use the user/pass combination you configured for the VCSA backup process.
Also, we can choose the Encrypt Backup Data checkbox which encrypts the backup files themselves (at rest). Effectively, now that we are using FTPS, we are encrypting the data “in flight” and with encrypting our backup data, we will be encrypting at rest as well, so the process overall is much more secure.
After we click Next, we shouldn’t see any errors if the FTPS connection is configured properly and we will see the process begin retrieving backup sizes for the various components.
Thoughts
Security should be on the forefront of all our minds in this day and time. Backups of all kinds are often overlooked when it comes to securing data. Really, backups are an exact copy of production data and should be secured as is production. Securing data “in flight” and “at rest” ensures that we have encrypted the data both as it traverses the network as well as when it is at rest in a cold state on a hard drive, backup repository, etc. It is easy to setup the FTPS connection in FileZilla to Create Secure FTPS server for VMware VCSA 6.5 Backups. Hopefully, this quick run through will help anyone configure the FTPS connection for setting up with VAMI.