Manage Default Object Lock
This chapter describes the Default Object Lock feature type:
- Grant administrators permissions to manage Object Lock
- Allow Default Object Lock for backup destinations
- Edit Default Object Lock settings for backup destinations
- Disable Default Object Lock for storage account
Default Object Lock prevents all backup data written to a destination from being deleted or overwritten for a specified period.
Once objects are locked:
- They cannot be modified or removed until the retention period expires
- In Compliance mode, deletion is impossible even for administrators
Managed Backup does not attempt to delete backup data until the default locking period expires.
This feature type can be combined with Object Lock for GFS backups to extend retention for GFS-based full backups in Managed backup.
Grant Manage Object Lock (Immutability) Permission
To delegate Object Lock management to administrators:
- Open the Management Console
- Go to Organization > Administrators
- Click Edit for the administrator account you are planning to use for backup storage management
- Open the Permissions tab
- Enable Manage Object Lock (Immutability)
- Click Save.
Allow Default Object Lock for Storage Account
If you are using Microsoft 365 / Google Workspace Backup you can enable this feature now, but for Managed Backup this feature requires Backup Agents 8.6 (Windows) or 4.5 (macOS/Linux).
Consider, that the Default Object Lock should only be allowed for storage account with enabled Object Lock. This should be done on the storage account side. After enabling Object Lock on the storage account side, you can enable it in Management Console for the existing destination or create a new storage account and enable Default Object Lock for it.
Refer to the storage account documentation for details on how to enable default Object Lock:
- Amazon S3 & Glacier
- Microsoft Azure Blob
- Microsoft Azure VM
- Backblaze B2
- File System
- Google Cloud Storage
- S3 Compatible
- Wasabi
- MinIO
- IDrive e2
- MSP360 (Wasabi)
- MSP360 (Amazon S3)
Ensure that the account used to manage the storage account has the required permissions.
Edit Default Object Lock Settings for Storage Account
If Object Lock period is changed on the storage side:
If Object Lock settings can be read from storage, the protection period is populated automatically.
If the settings cannot be read, you will be prompted to provide the protection period settings manually.
To provide the protection period settings manually, proceed as follows:
- Open the Management Console.
- In the Backup > Storage Accounts select the required account.
- Click the storage account name to view a list of backup destinations.
- Click the edit icon at the end of the required backup destination record.
- In the Edit destination dialog, edit the number of days below the Set Default Object Lock checkbox to provide the correct value.
- Click Save.
The Default Object lock will have effect immediately for all backup data.
Disable Default Object Lock for Storage Account
If Object Lock is disabled on the storage side:
- Existing immutable backups remain locked until their retention period expires.
- All newly created backups will not be purged during the Default Object Lock period specified in the Management Console.
In this case it is recommended to disable Default Object Lock for storage account in the Management Console. To perform this, proceed as follows:
- Open the Management Console.
- In the Backup > Storage Accounts select the required account.
- Click the storage account name to view a list of backup destinations.
- Click the edit icon at the end of the required backup destination record.
- In the Edit destination dialog, clear the Set Default Object Lock checkbox.
- Click Save.
Now all newly created backups will be purged according to the retention policy settings.
After disabling Default Object Lock:
If Default Object Lock is disabled:
- Existing immutable backups remain locked until their retention period expires
- New immutable backups cannot be created