How to enable the immutable backup feature - Cloud Backup

To improve data backup security and meet compliance and auditing requirements for enterprises, you must prevent key data from being deleted mistakenly or maliciously. Cloud Backup provides the immutable backup feature based on the write once, read many (WORM) technology. This feature ensures that data, once written, cannot be modified or deleted, preventing data loss caused by accidental or malicious operations. This topic describes how to enable the immutable backup feature and the immutable archive feature.

Usage notes

After immutable backup or immutable archive is enabled, backup data cannot be modified or deleted within the specified retention period, regardless of whether you have the required permissions. Backup data is automatically deleted when the retention period ends.

After the immutable backup or immutable archive feature is enabled, it cannot be disabled.
For information about supported regions, see Features available in each region.
Rules of immutable backup:
- The immutable backup feature does not affect backup and recovery operations.
- Supported objects: general-purpose backup vaults, database backup vaults (excluding Realtime Backup), and backup points in general backup policies and Elastic Compute Service (ECS) instance backup policies. For more information, see Storage vault types.
- Unsupported objects: backup vaults whose Storage Vault Type is NAS Backup (Free for 30 days), OSS Backup (Free for 30 days), or Tablestore Backup (Free for 30 days).
- For general backup policies, general-purpose backup vaults, and database backup vaults:
  - You can set the immutable backup feature on the General Backup Policy or Modify Backup Vault page.
  - After the immutable backup feature is enabled, all the existing backup points and newly generated backup points are locked.
  - If the cross-region replication feature is enabled, the backup vaults and backup points replicated to another region are also locked.
- For ECS instance backup policies:
  - Only newly generated backup points are locked. Existing backup points are not locked.
  - If the cross-region replication feature is enabled, the backup points replicated to another region are also locked.
  - The normal use of the corresponding disks and snapshots is not affected. For example, you can still create disks and share snapshots.
Rules of immutable archive:
The immutable archive feature applies to archive vaults whose Storage Vault Type is Archive and Retention Period is not Permanent.

Enable the immutable backup feature

Method 1: Enable the immutable backup feature on the Storage Vaults page

Log on to the Cloud Backup console.
In the navigation pane on the left, click Storage Vaults.
Find the backup vault for which you want to enable the immutable backup feature and choose More > Modify Backup Vault in the Actions column.
In the Modify Backup Vault panel, turn on Immutable Backup.
Important
After the immutable backup feature is enabled, backup vaults and all backup data cannot be deleted until the retention period expires. After the immutable backup feature is enabled, it cannot be disabled.
In the message that appears, click OK.
In the Modify Backup Vault panel, click OK.

Method 2: Enable the immutable backup feature when you create a backup policy

Log on to the Cloud Backup console.
In the navigation pane on the left, choose Backup > Policy Center.
In the top navigation bar, select a region.
On the Policy Center page, click Create Backup Policy.
In the Create Backup Policy panel, turn on Immutable Backup. Configure other parameters based on your business requirements. For more information, see Parameter description.
Important
Both General Backup Policy and ECS Instance Backup Policy support the immutable backup feature. After Immutable Backup is turned on, backup vaults and all backup data cannot be deleted until the retention period expires. After the immutable backup feature is enabled, it cannot be disabled.
In the Create Backup Policy panel, click OK.

After you complete the preceding operations, Locked is displayed in the Data Lock Mode column of the backup vault.

Enable the immutable archive feature

Log on to the Cloud Backup console.
In the navigation pane on the left, click Storage Vaults.
Find the archive vault for which you want to enable the immutable archive feature and choose More > Modify Backup Vault in the Actions column.
In the panel that appears, turn on Immutable Archive.
Important
After the immutable archive feature is enabled, archive vaults and all archived data cannot be deleted until the retention period expires. After the immutable archive feature is enabled, it cannot be disabled.
In the message that appears, click OK.
In the Configure Archive Vault panel, click OK.
After you complete the preceding operations, Locked is displayed in the Data Lock Mode column of the archive vault.

FAQ

Why am I unable to enable Immutable Backup in the Modify Backup Vault panel?

You can enable the immutable backup feature for general-purpose backup vaults and database backup vaults. If Storage Vault Type of a backup vault is set to NAS Backup (Free for 30 days), OSS Backup (Free for 30 days), or Tablestore Backup (Free for 30 days), the Immutable Backup switch is not displayed.

Can I disable the immutable backup feature for a backup vault?

No, you cannot disable the immutable backup feature after it is enabled. After the immutable backup feature is enabled, the backup vault and backup data cannot be deleted until the retention period expires. The immutable backup feature does not affect backup and recovery operations.

References

Cloud Backup provides the following enterprise-class capabilities to ensure data security: