Enabling Backup Locking

Scenarios

Backup locking can be used in many scenarios, such as:

• Backing up core enterprise data: If financial data and customer information are lost or tampered with, the enterprise may suffer fatal damage. Backup locking ensures that core data backups will not be deleted by mistake during the retention period.
• Backing up important systems: Backups of important systems, such as enterprise service systems and database systems, are critical to system stability and service continuity. Backup locking prevents backups of these key systems from being deleted by mistake and ensures that the systems can be recovered when a fault occurs.

How Backup Locking Works

Before backup locking is enabled, automatic backups are automatically deleted according to the retention rules. Any user with the permission to delete backups can delete automatic backups. Backup locking locks automatic backups in vaults in the WORM state. In this state, data can only be read, but cannot be modified or deleted. Once backup locking is enabled, the system enforces strict access controls and operational restrictions on automatic backups stored in vaults. The system restricts users from deleting automatic backups during their retention periods. These backups are only deleted automatically when the deletion conditions defined in the retention rules are met. This ensues the security and integrity of backup data throughout the retention timeframe.

• Backup locking does not affect normal backup, restoration, and replication operations.
• Manual backups are not controlled by backup locking and can be manually deleted.
• If you enable backup locking, set Type of Retention Rule to Time period. In this way, even if you modify the retention rule of the policy, backups with the original policy applied will be automatically deleted based on the original expiration time, backups with the new policy applied will be retained based on the new retention rule.

Notes and Constraints

• Backup locking cannot be disabled after it is enabled. If the vault capacity is full after backup locking is enabled, resource backups may fail because backups cannot be deleted in advance.
• After backup locking is enabled, associated resources cannot be dissociated or migrated.
• After backup locking is enabled, policy-based backups can only be deleted after they expire. You cannot manually delete them.
• After backup locking is enabled, pay-per-use vaults cannot be deleted if they contain backups, but yearly/monthly vaults can be unsubscribed from.
• After backup locking is enabled for a vault, you can only select the current retention type or change the retention type to time-based retention when modifying the policy that is applied to the vault. If the retention rule is quantity-based retention, the retention quantity cannot be reduced.
• A vault with backup locking enabled can only have a backup policy with time-based retention.
• After backup locking is enabled, a vault can only have a backup or replication policy with time-based retention.

Enabling Backup Locking for an Existing Vault

1. Log in to the CBR console.
   1. Log in to the management console.
   2. Click in the upper left corner and select a region.
   3. Click and choose Storage > Cloud Backup and Recovery. Select the corresponding backup type from the navigation pane.

2. Locate the target vault and choose More > Enable Backup Locking in the Operation column.
3. In the displayed dialog box, click OK to enable backup locking.
   Figure 1 Backup locking

   

4. Click OK.

   The vault list is displayed, and you can see that the value in the Back Locking column is Enabled.

Helpful Links

If the vault capacity is full after backup locking is enabled, resource backups may fail because backups cannot be deleted in advance. You can expand the vault capacity in advance to avoid this situation. For details, see Expanding Vault Capacity.