Create Secure FTPS server for VMware VCSA 6.5 Backups

0

We have covered in detail how to in general provision an FTP server using FileZilla for the purposes of targeting for our VCSA 6.5 backups.  However, to take this a step further, what if you want to secure the backup of your VCSA 6.5 appliance by using a secure FTP process?  To do that, we can still use FileZilla and create secure FTPS server for VMware VCSA 6.5 Backups so our backups from the VCSA appliance are secure “in flight” as they go across the wire.  Let’s see how to implement this configuration on our FileZilla server.

Secure FTPS and not SFTP

Update 10.30.2017 – Please note here we are describing creating a “secure” FTPS server which is a different technology than SFTP or “Secure File Transfer Protocol” as pointed out by @JonKensy.  A great description as noted by @paulbraren is found here.  At this time, VMware VCSA backups do not support SFTP and only support FTPS.  SFTP definitely has advantages when it comes to the network ports that are used for communication as mentioned in the linked post.  Hopefully this may appear as an option in a future VCSA release.

Create Secure FTPS server for VMware VCSA 6.5 Backups

The process is very similar to simply creating an FTP server.  Actually, we only need a couple of additional steps including creating a certificate on our FileZilla server and disable plain unencrypted FTP.  To setup the certificate in FileZilla, we go to Edit >> Settings

Edit-the-settings-of-the-FileZilla-server Create Secure FTPS server for VMware VCSA 6.5 Backups

Edit the settings of the FileZilla server

We have several areas of interest on the FTP over TLS settings configuration screen.  Notice the Enable FTP over TLS support (FTPS) checkbox as well as the Generate new certificate… button.

FTP-over-TLS-settings-and-certificate-configuration Create Secure FTPS server for VMware VCSA 6.5 Backups

FTP over TLS settings and certificate configuration

Once we check the Enable FTP over TLS support (FTPS) checkbox enabled, we can check the box to Disallow plain unencrypted FTP as well which is what we want to do to make things more secure.

Disallow-plain-unencrypted-FTP Create Secure FTPS server for VMware VCSA 6.5 Backups

Disallow plain unencrypted FTP

When we click the Generate new certificate button, we are prompted with the familiar certificate information to be filled out.  When we click the Generate certificate button, the certificate is generated for the FTPS connection.

Generate-a-self-signed-certificate-for-the-FileZilla-server Create Secure FTPS server for VMware VCSA 6.5 Backups

Generate a self signed certificate for the FileZilla server

We will get a pop up box “Certificate generated successfully”.

Certificate-is-generated-successfully Create Secure FTPS server for VMware VCSA 6.5 Backups

Certificate is generated successfully

Our screen should look like the following with the certificate in place and we are disallowing plain unencrypted FTP communication.

Certificate-created-and-options-set-for-FTPS Create Secure FTPS server for VMware VCSA 6.5 Backups

Certificate created and options set for FTPS

Backing up VMware VCSA 6.5 with FTPS

Now we can login to our VMware VCSA 6.5 VAMI interface and begin the backup process.  Now we can select the FTPS option.  Point the connection to your FTPS server that was just setup, port 21, and use the user/pass combination you configured for the VCSA backup process.

Change-VCSA-6.5-backup-to-use-FTPS Create Secure FTPS server for VMware VCSA 6.5 Backups

Certificate created and options set for FTPS

Also, we can choose the Encrypt Backup Data checkbox which encrypts the backup files themselves (at rest).  Effectively, now that we are using FTPS, we are encrypting the data “in flight” and with encrypting our backup data, we will be encrypting at rest as well, so the process overall is much more secure.

In-flight-and-at-rest-encryption-of-VCSA-6.5-backups Create Secure FTPS server for VMware VCSA 6.5 Backups

In flight and at rest encryption of VCSA 6.5 backups

After we click Next, we shouldn’t see any errors if the FTPS connection is configured properly and we will see the process begin retrieving backup sizes for the various components.

VCSA-6.5-backp-proceeds-without-error Create Secure FTPS server for VMware VCSA 6.5 Backups

VCSA 6.5 backup proceeds without error

Thoughts

Security should be on the forefront of all our minds in this day and time.  Backups of all kinds are often overlooked when it comes to securing data.  Really, backups are an exact copy of production data and should be secured as is production.  Securing data “in flight” and “at rest” ensures that we have encrypted the data both as it traverses the network as well as when it is at rest in a cold state on a hard drive, backup repository, etc.  It is easy to setup the FTPS connection in FileZilla to Create Secure FTPS server for VMware VCSA 6.5 Backups.  Hopefully, this quick run through will help anyone configure the FTPS connection for setting up with VAMI.