How to enable the immutable backup feature - Cloud Backup

Immutable backup uses write-once-read-many (WORM) technology to prevent backup data from being modified or deleted during the retention period, meeting compliance and audit requirements. Cloud Backup provides immutable backup (for backup vaults) and immutable archive (for archive vaults). This topic describes how to enable both features and their rules.

Prerequisites

Before you enable immutable backup or immutable archive, ensure that you have:

A general backup vault or database backup vault (for immutable backup), or an archive vault (for immutable archive).
The backup vault or archive vault in a supported region. See Features available in each region.
(For immutable backup) A general backup policy or ECS instance backup policy, or use the Storage Vaults page to enable per vault.

Important

Immutable backup is not supported for vaults whose Storage Vault Type is NAS Backup (Free for 30 days), OSS Backup (Free for 30 days), or Tablestore Backup (Free for 30 days). The Immutable Backup option is not shown for those vault types.

Usage notes

After immutable backup or immutable archive is enabled, backup or archive data cannot be modified or deleted within the specified retention period, regardless of permissions. Data is automatically deleted when the retention period ends.

After the immutable backup or immutable archive feature is enabled, it cannot be disabled.
For information about supported regions, see Features available in each region.
Rules of immutable backup:
- The immutable backup feature does not affect backup and recovery operations.
- Supported objects: General backup vaults, database backup vaults (excluding Realtime Backup), and backup points in general backup policies and Elastic Compute Service (ECS) instance backup policies. See Storage vault types.
- Unsupported objects: Backup vaults whose Storage Vault Type is NAS Backup (Free for 30 days), OSS Backup (Free for 30 days), or Tablestore Backup (Free for 30 days).
- General backup policies, general backup vaults, and database backup vaults:
  - Set the immutable backup feature on the General Backup Policy or Modify Backup Vault page.
  - After it is enabled, all existing and newly generated backup points are locked.
  - If cross-region replication is enabled, replicated backup vaults and backup points in the other region are also locked.
- ECS instance backup policies:
  - Only newly generated backup points are locked; existing backup points are not locked.
  - If cross-region replication is enabled, replicated backup points in the other region are also locked.
  - Disks and snapshots can still be used normally (for example, create disks or share snapshots).
Rules of immutable archive:
The immutable archive feature applies to archive vaults whose Storage Vault Type is Archive and Retention Period is not Permanent.

Enable the immutable backup feature

Method 1: Enable on the Storage Vaults page

Log on to the Cloud Backup console.
In the navigation pane on the left, click Storage Vaults.
Find the backup vault, and in the Actions column choose ⋮ > Modify Backup Vault.
In the Modify Backup Vault panel, turn on Immutable Backup, then click OK.
Important
After it is enabled, the backup vault and all backup data cannot be deleted until the retention period expires. The feature cannot be disabled.
In the Modify Backup Vault panel, click OK to save.

Method 2: Enable when you create a backup policy

Log on to the Cloud Backup console.
In the navigation pane on the left, choose Backup > Policy Center.
In the top navigation bar, select a region.
On the Policy Center page, click Create Backup Policy.
In the Create Backup Policy panel, turn on Immutable Backup. Configure other parameters as needed. See Parameter description.
Important
Both General Backup Policy and ECS Instance Backup Policy support immutable backup. After it is turned on, the backup vault and all backup data cannot be deleted until the retention period expires, and the feature cannot be disabled.
In the Create Backup Policy panel, click Create.

After you complete these steps, Locked is displayed in the Data Lock Mode column of the backup vault.

Enable the immutable archive feature

Log on to the Cloud Backup console.
In the navigation pane on the left, click Storage Vaults.
Find the archive vault for which you want to enable the immutable archive feature and choose ⋮ > Modify Backup Vault in the Actions column.
In the Modify Backup Vault panel, turn on Immutable Archive, then click OK.
Important
After it is enabled, the archive vault and all archived data cannot be deleted until the retention period expires. The feature cannot be disabled.
In the confirmation message, click OK.
In the Modify Backup Vault panel, click OK to save.
After you complete these steps, Locked is displayed in the Data Lock Mode column of the archive vault.

FAQ

Why don't I see the Immutable Backup option in the Modify Backup Vault panel?

Immutable backup is supported only for general backup vaults and database backup vaults. If the Storage Vault Type of a backup vault is set to NAS Backup (Free for 30 days), OSS Backup (Free for 30 days), or Tablestore Backup (Free for 30 days), the Immutable Backup switch is not displayed.

Can I disable the immutable backup feature for a backup vault?

No. After immutable backup is enabled, it cannot be disabled. The backup vault and backup data cannot be deleted until the retention period expires. The feature does not affect backup and recovery operations.

References

Cloud Backup provides the following enterprise capabilities for data security: