Manage Object Lock for GFS Backups (formerly Object-Lock (Immutability))

This chapter describes the Object Lock for GFS backups feature type:

• Grant Administrators Permissions to Manage Object Lock for GFS backups
• Allow Object Lock Featгres for Backup Destinations
• Enable Object Lock for GFS backups in Backup Plan
• Disable Object Lock for GFS backups in Backup Plan
• Disable Object Lock Features for Storage Account

Object Lock for GFS backups is directly linked to the GFS retention policy. When enabled, full backups selected by the GFS policy become immutable for the corresponding GFS retention period.

For example, if weekly and monthly GFS retention is configured, all backups promoted to weekly and monthly points are locked and cannot be deleted or modified for a longer period than other backup data.

This feature type can be combined with Default Object Lock to extend protection for GFS-based full backups with optimal storage efficiency. Refer to the Object lock article for details.

Grant Manage Object Lock (Immutability) Permission

To delegate Object Lock management to administrators:

1. Open the Management Console
2. Go to Organization > Administrators
3. Click Edit for the administrator account you are planning to use for backup storage management
4. Open the Permissions tab
5. Enable Manage Object Lock (Immutability)

6. Click Save.

Allow Object Lock for GFS Backups for Storage Account

Consider that the Object Lock for GFS Backups feature type must be allowed by means of Management Console as described below.

• You can create a new destination bucket with Object Lock for GFS Backups enabled
• Or use an existing bucket where Object Lock for GFS Backups was enabled via the Management Console

Ensure that the account used to manage the storage account has the required permissions.

For example, for Amazon S3 destinations, the GetBucketObjectLockConfiguration permission is required.

Refer to the storage account documentation for details on how to enable Object Lock for GFS backups:

• Amazon S3 & Glacier
• Microsoft Azure Blob
• Microsoft Azure VM
• Backblaze B2
• File System
• Google Cloud Storage
• S3 Compatible
• Wasabi
• MinIO
• IDrive e2
• MSP360 (Wasabi)
• MSP360 (Amazon S3)

After enabling Object Lock for GFS backups on the storage account, you can enable it in backup plans that use this storage. The feature will take effect only after it is enabled in the backup plan and will apply to GFS backups created by that plan.

Enable Object Lock for GFS Backups in Backup Plan

For security reasons, the Object Lock for GFS Backups option cannot be enabled or edited in the Backup Agent.

To enable GFS-Based Object Lock in backup plans, proceed as follows:

1. Open the Management Console.
2. In the Computers menu, find the required computer, then click on the computer name.
3. In the side panels navigate to the Backup plans tab.
4. Edit the required backup plan or create a new one. Remember that the backup plan must be in the new backup format.
5. On the Where to back up step of the backup wizard, select the storage account with the Object Lock for GFS Backups feature supported.
6. Follow the backup wizard to the Retention Policy step.
7. Enable the Archive Backups, Grandfather-Father-Son (GFS) feature, then specify the GFS keeping periods according to your requirements. If you already have the GFS policy configured, click on the edit icon to change GFS settings.
8. Enable Prevent backups created according to GFS policy from deletion.

9. Read the important information about the feature and confirm enabling.

10. Follow the backup wizard steps to save the backup plan configuration.

If the Object Lock for GFS Backups is not available (for example, it is not enabled for the selected backup destination bucket), you will see the following warning on the Retention step:

Disable Object Lock for GFS Backups in Backup Plan

For security reasons, the Object Lock for GFS Backups option cannot be enabled or edited in the Backup Agent.

To disable GFS-Based Object Lock in backup plan, proceed as follows:

1. Open the Management Console.
2. In the Computers menu, find the required computer, then click on the computer name.
3. In the side panels navigate to the Backup plans tab.
4. Follow the backup wizard to the Retention Policy step.
5. Open the Archive Backups, Grandfather-Father-Son (GFS) feature for editing.

6. Disable Prevent backups created according to GFS policy from deletion.

7. Follow the backup wizard steps to save the backup plan configuration.

Disable Object Lock for GFS Backups for Storage Account

If Object Lock for GFS Backups is disabled or the GFS policy is changed:

• Existing immutable backups remain locked until their retention period expires
• New immutable backups cannot be created

If you need to suspend or terminate immutable backup keeping, proceed as follows:

1. Open the Management Console.
2. In the Backup > Storage Accounts select the required account.
3. Click the storage account name to view a list of backup destinations.
4. Click the edit icon at the end of the required backup destination record.

5. In the Edit destination dialog, clear the Object Lock for GFS Backups checkbox.

6. Click Save.

After disabling Object Lock for GFS Backups:

• Object Lock for GFS backups cannot be enabled in new backup plans
• Existing plans with GFS-Based Object Lock enabled will fail.