TrueSecure Guide
  • Getting Started
  • Backup Format Overview
    • Hybrid Backup
    • Object Lock (Immutability)
    • MS SQL Server Backup
    • MS Exchange Backup
    • Synthetic Backup
    • About GFS
      • Configure GFS Policy
        • GFS Retention Policy Settings in CLI
      • GFS Policy Usage Examples
      • F.A.Q
    • Forever Forward Incremental Backup
      • Intelligent Retention
    • Client-Side Deduplication
    • Mandatory and Full Consistency Checks
    • Retention Policy
    • File And Folder Backup
      • OneDrive Backup
      • System and Hidden Files Backup
    • Image-Based Backup
    • Full Backup Explained
    • VMware Backup Plan
      • Application-Consistent Backups
      • Pre-Freeze and Post-Thaw Scripts
      • Transaction Logs Processing in Application-Consistent Backups
      • Prepare Guest VM for Application-Consistent Backup
      • Changed Block Tracking for VMware Backups
    • About Hyper-V Backup
      • Hyper-V Virtual Machine Backup
      • Hyper-V Failover Cluster Backup
      • Application-Consistent Backups
      • Prepare Guest VM for Application-Consistent Backup
      • Changed Block Tracking for Hyper-V Backups
    • Legacy Backup Format
      • Backup Format Comparison
      • Hybrid Backup
      • Synthetic Full Backup (Legacy Backup Format)
      • Synthetic Backup for S3-compatible Storage Accounts
      • File-Level Backup (Legacy)
        • Step 1. Backup Route
        • Step 2. Backup Destination (for Local or Cloud Backup)
        • Step 3. Backup Destinations (for Hybrid Backup)
        • Step 4. Plan Name
        • Step 5. Advanced Options
        • Step 6. Backup Source
        • Step 7. Network Shares
        • Step 8. Advanced Filter
        • Step 9. Compression and Encryption Options
        • Step 10. Schedule
        • Step 11. Recurring Schedule
        • Step 12. Retention Policy
        • Step 13. Pre / Post Actions
        • Step 14. Email and System Log Notifications
        • Step 15. Summary
      • Image-Based Backup (Legacy)
        • Step 1. Backup Route
        • Step 2. Backup Destination
        • Step 3. Backup Destinations (for Hybrid Backup)
        • Step 4. Plan Name
        • Step 5. Select Partitions
        • Step 6. Advanced Options
        • Step 7. Compression and Encryption Options
        • Step 8. Retention Policy
        • Step 9. Schedule
        • Step 10. Specify Recurring Schedule
        • Step 11. Pre / Post Actions
        • Step 12. Notifications and System Log Settings
        • Step 13. Summary
      • VMware Backup (legacy)/Step 1. Select the Backup Route
        • Step 2. Select Backup Storage
        • Step 3. Specify the Plan Name
        • Step 4. Select VMware Host Server
        • Step 5. Select Virtual Machines
        • Step 6. Select Virtual Disks
        • Step 7. Compression and Encryption Options
        • Step 8. Retention Policy
        • Step 9. Schedule
        • Step 10. Schedule Full Backup
        • Step 11. Pre / Post Actions
        • Step 12. Notification
        • Step 13. Summary
      • Hyper-V VM Backup (legacy)/Step 1. Backup Route
        • Step 2. Select Backup Storage
        • Step 3. Plan Name
        • Step 4. Select Virtual Machines
        • Step 5. Select Virtual Disks
        • Step 6. Compression & Encryption Options
        • Step 7. Retention Policy
        • Step 8. Schedule
        • Step 9. Advanced Recurring Schedule
        • Step 10. Pre / Post Actions
        • Step 11. Notification
        • Step 12. Summary
    • Backup for Microsoft 365 / Google Workspace
      • Get Started with Backup for Microsoft 365 / Google Workspace
      • Manage Microsoft 365 Backup/ Service Dashboard
        • Account Settings
        • Manage Users
        • Create Mail Archive
        • Export to PST
      • Backup and Restore
        • Outlook Mail Backup
        • Back Up OneDrive
        • Contacts Backup
        • Back up Calendar
        • SharePoint Backup
        • Back up Microsoft Teams
        • Retention Policy in Microsoft 365 Backup
      • Google Backup/Account Setting
        • Manage Google Backup
        • Manage Users
        • Auto-Activate New Users
        • Backup and Restore
          • Back up Gmail
          • Item-Level Restore from Google Drive Backup
          • Back up Contacts
          • Back Up Calendar
          • Back Up Shared Drives
          • Retention Policy in Google Backup
  • Restore Backup Data
    • File-Level Restore
      • Step 1 - Select a Backup Storage
      • Step 2 - Specify the Plan Name
      • Step 3 - Select Data to Restore
      • Step 4. Select Restore Point
      • Step 5 - Select Files to Restore
      • Step 6. Destination
      • Step 7. Specify the Encryption Password
      • Step 8. Schedule Your Restore Plan
      • Step 9. Email Notifications and Event Log Settings
      • Step 10 - Check Network Shares
      • Step 11 - Save and Run Your Restore Plan
    • Image-Based Backup Restore
      • Step 1. Select Backup Storage
      • Step 2. Plan Name
      • Step 3 - Choose Data to Restore
      • Step 4 - Select a Restore Point
      • Step 5. Restore Type
        • Restore to Physical Disk
        • Restore to Virtual Disk
        • Restore to Amazon EC2 Instance, EBS Volume or AMI
          • Enable EC2 on your Amazon Account
          • Granting Required EC2 Permissions
          • Restore to Amazon EC2 Instance
          • Restore to Amazon Machine Image (AMI)
          • Restore to Elastic Block Store (EBS) Volume
        • Restore to Azure Virtual Machine or Data Disk
          • Restore to Azure Virtual Machine
          • Restore to Azure Data Disk
        • Restore to Google Cloud Instance, Image, or Disk
          • Restore to Google Cloud Instance
          • Restore to Google Machine Image
          • Restore to Google Data Disk
      • Step 6. Specify the Temporary Instance
      • Step 7. Select Partitions
      • Step 8. Destination
      • Step 9. Specify the Encryption Password
      • Step 10. Schedule Your Restore Plan
      • Step 11. Notifications and Logging
      • Step 12 - Check Network Shares
      • Step 13 - Save and Run Your Restore Plan
    • VMware Virtual Machine Restore Plan
    • Hyper-V Restore/Step 1. Select Backup to Restore
      • Step 2. Plan Name
      • Step 3. Type of Data
      • Step 4. Select a Restore Point
      • Step 5. Restore Source
      • Step 6. Restore Type
        • Select Virtual Disks
        • Restore Options (Destination)
        • Glacier Smart Restore (Optional)
        • Restore Virtual Machines As
      • Step 7. Encryption Options
      • Step 8. Schedule
      • Step 9. Pre-/Post Actions
      • Step 10. Notifications and Logging
      • Step 11. Check Network Shares
      • Summary
    • MS SQL Server Database Restore
      • Step 1 - Select a Backup Storage
      • Step 2 - Specify the Plan Name
      • Step 3 - Choose Data to Restore
      • Step 4. Select a Restore Point
      • Step 5. Select a SQL Server Instance
      • Step 6. Specify the Source Databases
      • Step 7 - Specify the Target Databases
      • Step 8 - Specify the Restore Options
      • Step 9. Specify the Encryption Password
      • Step 10. Schedule Your Restore Plan
      • Step 11. Customize Email Notifications and System Log Settings
      • Step 12 - Check Network Shares
      • Step 13 - Save and Run Your Restore Plan
    • MS SQL Server Backup Files Restore
      • Step 1 - Select a Backup Storage
      • Step 2 - Specify the Plan Name
      • Step 3 - Choose Data to Restore
      • Step 4. Select a Restore Point
      • Step 5. Specify the Source Databases
      • Step 6 - Specify the Restore Options
      • Step 7. Specify the Encryption Password
      • Step 8. Schedule Your Restore Plan
      • Step 9. Customize Email Notifications and System Log Settings
      • Step 10 - Check Network Shares
      • Step 11 - Save and Run Your Restore Plan
    • Microsoft Exchange Data Restore
      • Item-Level Restore in Microsoft Exchange
      • Restore Microsoft Exchange Files/Databases
        • Step 1 - Select a Backup Storage
        • Step 2 - Specify the Plan Name
        • Step 3 - Choose Data to Restore
        • Step 4. Select a Restore Point
        • Step 5 - Specify the Restore Destination
        • Step 6. Specify the Encryption Password
        • Step 7. Schedule Your Restore Plan
        • Step 8. Notifications and Logging
        • Step 9 - Check Network Shares
        • Step 10 - Save and Run Your Restore Plan
        • Update the Exchange Server Database
Powered by GitBook
On this page
  • About Object Lock
  • Retention Modes For Immutable Data
  • How It Works
  • Enable Object Lock (Immutability) for Storage Account
  • Enable Object Lock (Immutability) in Backup Plan
  1. Backup Format Overview

Object Lock (Immutability)

Object Lock (Immutability) is a feature that locks backup datasets for a period specified in GFS retention policy settings. Within this period, backup data cannot be modified or deleted.

Object Lock (Immutability) is supported for the following storage providers:

  • Amazon AWS

  • Wasabi

  • Backblaze B2

About Object Lock

Object Lock (Immutability) is a solution that suits best data preserving purposes in accordance with compliance requirements. It allows an administrator to specify a data retention period or to implement a legal hold that prevents data from being deleted until the hold is removed.

The Object Lock feature is linked with the GFS retention policy. If the Object Lock is applied along with GFS settings, full backups that are subject to the GFS retention policy become immutable for the GFS keeping period.

For example, if in GFS settings you enable weekly and monthly keeping periods with 2 weeks and 2 months of keeping backups accordingly and then enable immutability, it means that all weekly and monthly backups selected by the GFS keeping period assignment mechanism will be locked on backup storage and cannot be deleted with Backup Agent.

Use the Object Lock (Immutability) feature with extreme caution. Once backup data becomes immutable, there is no way to delete it from the storage until the specified GFS keeping period expires except for the storage account termination. Careless or light-headedly made settings can cause high storage bills

Retention Modes For Immutable Data

Generally, there are two retention modes:

  • Governance mode (default)

  • Compliance mode

These retention modes apply different levels of protection.

In Governance mode, users cannot overwrite or delete an object version or alter its lock settings using Backup Agent. With Governance mode, objects in backup storage are protected against being deleted, but you can still delete the object, if necessary, in the backup storage provider console.

In Compliance mode, a protected object version cannot be overwritten or deleted by any user, including the root user in your storage provider account. When an object is locked in Compliance mode, its retention mode cannot be changed, and its retention period cannot be shortened. Compliance mode helps ensure that an object version cannot be overwritten or deleted for the duration of the retention period defined in the GFS retention policy settings.

By design, when you create a destination bucket, the Governance mode is applied by default. If need to use the Compliance mode for your backup purposes, contact the TrueSecure support team.

How It Works

Enable this feature for an appropriate storage account, if you need to comply with the regulations, maintenance or legal requirements, or anything else that requires an immutable backup dataset. In some cases, it could be easier to create a new bucket in the existing storage account for immutability purposes. When you create a new immutable bucket, you automatically create a default lifecycle to clean deleted versions.

You can only enable Object Lock (Immutability) for new buckets. If you want to turn on the Object Lock for an existing bucket, contact the storage provider support team if they can help you.

Note that if your storage provider is AWS and you create a new bucket with the Immutability feature enabled, versioning for this bucket is automatically enabled

If you create a bucket with Object Lock enabled, you cannot disable it or suspend versioning for this bucket

Support for Versioning Buckets in Amazon S3/Wasabi

With the Object Lock (Immutability) feature enabled in the storage account, synchronization is performed file list formed on the list of versions.

Along with it, a so-called postponed synchronization approach is used that implies data collection from a list of files, then analyzed and added to the database. During the analysis, immutable generations are checked for deleted files. If any deletions are detected, some deleted files are restored: common generation files (generation metadata, GFS marker) and restore point files up to the first successful one.

During consistency checks, the same logic applies: immutable generations are checked for deleted files. If any deletions are detected, some deleted files are restored: this concerns common generation files (generation metadata, GFS marker) and restore point files up to the first successful one.

Enable Object Lock (Immutability) for Storage Account

Consider, Object Lock (Immutability) should be allowed by means of Management Console. Object Lock (Immutability allowed using the backup storage management consoles cannot be supported

Note that in order to use the Object Lock, the GetBucketObjectLockConfiguration permission must be granted to the storage account

To enable the Object Lock (Immutability) feature for the storage account, proceed as follows:

  1. In the application menu, select Edit Storage Accounts.

  2. Select the account you want to enable the Object Lock (Immutability) for, then click Edit.

  1. Select the bucket that supports the Object Lock (Immutability) or create a new one. If the selected bucket does not support Object Lock (Immutability), you will be informed with an appropriate warning.

Note that you can only enable the Immutability feature for new buckets. If you want to enable the Object Lock (Immutability) for an existing bucket, contact your storage provider support team

  1. Select the Allow Object Lock (Immutability) check box.

  2. Read carefully the confirmation dialog, then confirm the action.

  3. Click OK.

Once the Object Lock (Immutability) feature is enabled on the required storage account, proceed to create or edit the backup plans that require immutable data.

Enable Object Lock (Immutability) in Backup Plan

  1. Edit the backup plan you intend to apply the Object Lock (Immutability) to or create a new one.

  2. Follow the backup wizard steps to the Retention Policy step.

  1. Select the Enable GFS check box.

  2. Configure your GFS settings according to your requirements or compliance mandate.

  3. Select the Enable Object Lock (Immutability) check box.

  4. Confirm the action in a dialog box, then click Next.

Attention! Once the Object Lock (Immutability) is enabled, it will not be possible to edit or delete the backup data unless the specified GFS keeping period expires, so be extremely cautious since it may lead to serious storage bill increases

  1. Follow the backup wizard to an end to save the backup plan configuration.

PreviousHybrid BackupNextMS SQL Server Backup

Last updated 12 months ago

First, make sure your storage account supports the Object Lock (Immutability). Currently, Immutability is supported for , only and .

Amazon S3
Wasabi
Backblaze B2