You can enable write once ready many (WORM) storage and retention for Amazon S3 and Microsoft Azure Storage. Worm storage prevents the accidental deletion of data that is not qualified for aging.
Caution
If you enable WORM storage lock and compliance lock, they will be enabled on all associated backup destinations. This action is irreversible and you cannot lower the retention.
Enabling WORM storage automatically enables compliance lock, which prevents retention settings from being changed. If you enable WORM storage and compliance lock, you cannot disable WORM storage, and the data will remain immutable in the storage for the duration of the retention period.
After you enable WORM storage, the size of the storage footprint will be slightly more than double the size of the protected front end data for Amazon S3 or Azure Storage, due to overhead associated with object lock storage and handling of deduplicated data. For this reason, WORM storage is more appropriate for secondary or tertiary copies of data than for primary copies.
If you add a custom backup plan that uses WORM storage, the plan inherits its retention settings from the storage pool.
-
WORM storage lock. You can use the WORM storage lock option for both deduplicated and non-deduplicated data for Amazon S3 and Azure Storage. WORM storage lock provides data security at the cloud storage level.
Note
Air Gap Protect is not supported for WORM storage lock.
-
Compliance lock. Compliance lock is a security control that provides protection from destructive tasks such as deleting backups, storage, apps, servers, and backup destination copies, and reducing retention for cloud storage vendors. Compliance lock provides data security at the software level. You can enable compliance lock at the storage level, and all associated backup destination copies will be locked and protected.
Note
Cloud app workloads that use bundled Commvault Cloud are not supported for compliance lock.
Before You Begin
-
Complete the following tasks on the platform that you use:
Platform
Tasks
Amazon S3
-
Create a bucket in Amazon S3, with Object Lock enabled and default retention disabled.
-
Verify that the PutObjectRetention permission is assigned to the bucket, along with the other permissions that are required to configure Amazon S3. To download the Amazon S3 permissions JSON file, see "Amazon EC2" in "IAM Policies" in Requirements and Usage for AWS IAM Policies and Permissions.
Azure Storage
-
Create a storage account and a container with version-level immutability support enabled in Azure Storage.
-
Verify that the Storage Blob Owner role is assigned in Azure.
-
Procedure
-
From the navigation pane, go to Storage > Cloud.
The Cloud page appears.
-
Click the cloud storage.
The cloud storage page appears.
-
To enable WORM storage lock, do the following:
-
Move the WORM storage lock toggle key to the right.
The Retention rules page appears.
-
In the Retention period option, specify the amount of time to retain the backups, and then click OK.
The Do you want to enable WORM storage lock? dialog box appears.
-
Select the options to confirm your agreement, type Confirm in the confirmation box, and then click CONFIRM.
Note
-
Both WORM storage lock and WORM compliance lock will be enabled on all associated backup destinations. This action is irreversible and you cannot lower the retention.
-
If you enabled WORM storage lock unintentionally, we recommend you to create a new storage pool with a new storage pointing to a new container or bucket.
-
-
-
To enable only compliance lock, do the following:
-
Move the Compliance lock toggle key to the right.
The Do you want to enable Compliance lock? dialog box appears.
-
Select the option to confirm your agreement, and then click YES.
Note
Compliance lock will be enabled on all associated backup destinations. This action is irreversible and you cannot lower the retention.
-