Last updated on Thursday 31st of August 2023 08:39:40 PM

Backup VMs in ©VMWare ©ESXi 8.0 servers

How to enable the execution of foreign binaries and keep your ©ESXi host safe at the same time

Best alternative

We have created ©XSIBackup-App to be able to backup ©ESXi hosts from 5.1 to 8.0. It is an appliance that can manage multiple hosts from a centralized console. This way you don't have to install anything in your ©ESXi box. You can download it from Sourceforge

Enabling the execution of binaries in ©ESXi 8.0

There are two things to take on account to enable the execution of foreign binaries in ©ESXi 8.0:

1/ Disabling secure boot in your hardware.
2/ Enabling the execution of binaries in your ESXi host

Secure boot

Secure boot features are found in your hardware BIOS and this may vary greatly in where is to be found in the BIOS menu, thus we'll leave this problem up to you. It is something rather trivial and you should find the option quite rapidly. You may revise your hardware manufacturer's BIOS manual if you need more details.

Secure boot feature Secure boot feature

Enabling binaries

Regarding the enabling of foreign binary execution, this is the command that will allow you to execute ©XSIBackup in your ©ESXi box:

esxcli system settings advanced set -o /User/execInstalledOnly -i 0

On the other hand, this is the one that will allow you to re-enable the blocking:

esxcli system settings advanced set -o /User/execInstalledOnly -i 1

Note the last byte in the string that makes the difference between the two commands.

You need root access to your host to perform this action. It can be issued right before executing the backup and the block can be re-enabled right after. We have integrated this into ©XSIBackup by means of the --options=x argument flag, this way the allowance for binary execution will only be active during the backup windows.

Still, although this is claimed to be a protection against ransomware, you will easily realize that since it can be deactivated easily, it's more an "obstacle" than a protection.

If you are concerned about ransomware, read this specific post on protecting yourself agains ransomware attacks.

Taking 5 minutes to think how you will set your ©ESXi up will be far more convenient at the time to protect your infrastructure against ransomware than any other thing. Just put your server behind a perimetral firewall and limit the ports you open to the outside world. There are ways in which you can access any port in your internal network by just using the SSH port: SSH Tunnelling

You can also set a VPN up to some PFSense, OpenWRT or any other FW of your choice. These simple measures are what make the difference.