Immutability

This chapter covers the following topics:

About Immutability

Immutability (also called Object Lock) is a feature that locks backup datasets for a period specified in GFS retention policy settings. Within this period, backup data is kept unmodified.

Immutability is supported by the following storage providers:

Note that the Immutability is not supported for MSP360 storage powered by AWS and by Wasabi

The Immutability feature is linked with the GFS retention policy. If the Immutability is applied along with GFS settings, full backups that are subject to the GFS retention policy become immutable for the GFS keeping period.

For example, if in a backup plan you enable weekly and monthly GFS keeping periods, and then enable Immutability, it means that all weekly and monthly backups selected by the GFS keeping period assignment mechanism will be locked on backup storage and cannot be deleted nor modified.

Immutability is available for plans in the new backup format (NBF) only

| Top |

Retention Modes for Immutable Data

Generally, two object lock retention modes are supported for immutable storage:

  • Governance mode (default)

    In Governance mode, protected objects in backup storage are locked (users cannot overwrite or delete an object version or alter its lock settings using Management Console or Backup Agent). These objects can only be deleted using cloud storage provider tools. By design, when you create a destination bucket using the Management Console, the Governance mode is used for all destination buckets with Immutability enabled.

  • Compliance mode

    In Compliance mode, protected objects in backup storage are locked completely (users cannot overwrite or delete an object version or alter its lock settings using Management Console or Backup Agent). These objects cannot be deleted until their retention period defined in the GFS retention policy settings ends. Management Console or Backup Agent provide no option to switch object lock retention mode for existing destination buckets. If need to use the Compliance mode for the case, you can check this option with MSP360 support.

Use the Immutability feature with extreme caution. Once a backup data become immutable in Compliance mode, there is no way to delete them from the storage until the specified GFS keeping period expires except for the storage account termination. Incorrect settings can cause high storage bills

| Top |

Allow 'Manage Immutability' Permission for Your Administrators

If you intend to delegate the Immutability management to your administrators, grant the appropriate permission for them. To do this, proceed as follows:

  1. Open the Management Console.
  2. In the Organization menu, select Administrators.
  3. Click Edit or Add Administrator to create a new one.
  4. Switch to the Permissions tab.
  5. Find the Manage Immutability option, then select the appropriate check box.
  6. Click Save.

| Top |

Allow Immutability for Storage Account

If you need to comply with the regulations, maintenance or legal requirements, or anything else that requires an immutable backup dataset, enable this feature for an appropriate storage account. If you do not have any storage destinations with the allowed Immutability, you can create a new destination bucket in Management Console.

To use the Immutability feature, appropriate permission must be granted to the account used for backup storage connection. For example, for S3 destinations, GetBucketObjectLockConfiguration permission must be granted

AWS S3

To allow Immutability for AWS S3, proceed as follows:

  1. Open the Management Console.
  2. In the Storage Accounts, select the required account to allow the Immutability or create a new storage account.

Note that the 'list versions' permission must be enabled for the storage account

  1. Click the gear icon, then select View Backup Destinations.
  2. Click Add Destination Bucket to create a new backup destination for immutable backups or click the ... button to edit an existing destination.
  3. In the Destination Bucket property box, fill in the required data (create or select an existing bucket), then click Allow Immutabiluty.

  1. Confirm the action: read the confirmation message, select the I Confirm Enabling Immutability check box, then click Confirm.
  2. Once you are done, proceed to backup plans to enable the Immutability for specific backups along with the GFS retention policy. The allowed Immutability enables this feature on the specified bucket only and does not apply this feature to any backups. You should apply immutability to desired backups as described below.

Note that if a bucket has the Immutability feature enabled, versioning for this bucket is automatically enabled as well

| Top |

Wasabi

To allow the Immutability for Wasabi, proceed as follows:

  1. Open the Management Console.
  2. In the Storage Accounts, select the required account to allow the Immutability or create a new storage account.

Immutability can only be enabled at the time a bucket is created. Buckets with Immutability enabled must also have Versioning enabled

  1. Click the gear icon, then select View Backup Destinations.
  2. Click Add Destination Bucket to create a new backup destination for immutable backups or click the ... button to edit an existing destination.
  3. In the Destination Bucket property box, fill in the required data (create or select an existing bucket), then click Allow Immutabiluty.

  1. Confirm the action: read the confirmation message, select the I Confirm Enabling Immutability check box, then click Confirm.
  2. Once you are done, proceed to backup plans to enable the Immutability for specific backups along with the GFS retention policy. Note that allowed Immutability enables this feature on the created bucket only and does not apply to any existing buckets or backups. Proceed to enable the Immutability in backup plans as described below.

| Top |

Backblaze B2

To allow the Immutability for Backblaze B2 destinations, proceed as follows:

  1. Open the Management Console.
  2. In the Storage Accounts, select the required Backblaze account to allow the Immutability or create a new Backblaze storage account.
  3. Click the gear icon, then select View Backup Destinations. If you just created a new Backblaze storage account, just follow the storage account creation wizard.
  4. Click Add Destination Bucket to create a new backup destination for immutable backups or click the ... button to edit an existing destination.
  5. In the Add Destination Bucket box, select the Create new bucket option, specify the new bucket name, then select the Allow Immutabiluty check box. If you want to use the existing bucket, click ..., then select the required bucket from the list.

Immutability can only be enabled at the moment a bucket is created. Thus, if you select an existing bucket, it must have the Immutability (Object Lock in terms of Backblaze) enabled previously. For existing buckets with no Immutability enabled upon creation, there is no way to enable it. You can always check the Immutability status of existing backup destinations on the 'Backup Destinations' page, in the 'Immutability' column

  1. Confirm the action: read the confirmation message, select the I confirm enabling Immutability check box, then click Confirm.
  2. Once you are done, proceed to backup plans to enable the Immutability for specific backups along with the GFS retention policy. Note that the Immutability feature is applied to the created bucket only. Proceed to enable the Immutability in backup plans as described below.

| Top |

Disable Immutability for Storage Account

If you change the GFS policy or disable the Immutability, all backups locked with the Immutability will be kept for the period specified in the GFS retention policy settings.

If you need to suspend or terminate immutable backup keeping, proceed as follows:

  1. Open the Management Console.
  2. In the Storage > Storage Accounts, select the required account.
  3. Click the gear icon, then select View Backup Destinations.
  4. Click the ... button to edit an existing destination.
  5. In the Edit Destination Bucket property box, clear the Allow Immutability check box.

Note that after you disable Immutability, you will not be able to create new backup plans with the selected storage account and enable Immutability. Also, all backup plans that have Immutability enabled will be terminated with an appropriate error. To avoid these errors, disable the Immutability feature manually in the plans where you no longer need this feature

  1. Click Save.

| Top |

Enable Immutability in Backup Plans

For security reasons, the Immutability option cannot be enabled or edited in Backup Agent

To enable the Immutability in backup plans via Remote Management, proceed as follows:

  1. Open the Management Console.
  2. In the Computers menu, select Remote Management.
  3. Find the required computer, then click the gear icon.
  4. Select Show Plans.
  5. Edit the required backup plan or create a new one. Remember that the backup plan must be in the new backup format.
  6. On the Where To Back Up step of the backup wizard, select the storage account with the Immutability feature supported.
  7. Follow the backup wizard to the Retention Policy step.
  8. Enable the GFS retention policy, then specify the GFS keeping periods according to your requirements. If you already have the GFS policy configured, skip this step.

  1. Select the Enable Immutability check box.
  2. Confirm the feature enabling, then follow the backup wizard steps to save the backup plan configuration.

| Top |