How to enable the immutable backup feature - Cloud Backup

To enhance data security, meet compliance and audit requirements, and prevent important data from being accidentally or maliciously deleted, Cloud Backup provides an immutable backup feature based on the write-once, read-many (WORM) model. This feature ensures that once data is written, it cannot be modified or deleted, effectively preventing data loss from operational errors or malicious activities. This topic describes how to enable the immutable backup and immutable archive features.

Usage notes

After you enable immutable backup or immutable archive, the data cannot be deleted or modified during the retention period, even by users with the required permissions. The system automatically deletes the backup data after the retention period expires.

Once enabled, you cannot disable the Immutable Backup or Immutable Archive feature.
Supported regions: For more information, see Features available in each region.
Rules for Immutable Backup:
- The immutable backup feature does not affect normal backup and recovery operations.
- Supported objects: general backup vaults, database backup vaults (excluding Realtime Backup), and backup points in General Backup Policies and ECS Instance Backup Policies. For more information, see Storage Vault Type.
- Unsupported objects: backup vaults for which the Storage Vault Type is NAS Backup (Free for 30 days), OSS Backup (Free for 30 days), or Tablestore Backup (Free for 30 days).
- For general backup policies, general backup vaults, and database backup vaults:
  - You can enable immutable backup in a General Backup Policy or directly in the Modify Backup Vault panel. The effect is the same.
  - After the feature is enabled, all existing and new backup points in the vault are locked.
  - If cross-region replication is enabled, the replicated backup vaults and backup points in the destination region are also locked.
- For ECS Instance Backup Policies:
  - Only new ECS instance backup points are locked. Existing backup points are not affected.
  - If cross-region replication is enabled, the replicated backup points in the destination region are also locked.
  - Normal operations for the corresponding cloud disks and snapshots, such as creating a cloud disk or sharing a snapshot, are not affected.
Rules for Immutable Archive:

This feature applies to archive vaults that have a non-permanent retention period.

Enable immutable backup

Method 1: From the Storage Vaults page

Log on to the Cloud Backup console.
In the navigation pane on the left, click Storage Vaults.
Find the target backup vault. In the Actions column, choose More > Modify Backup Vault.
In the Modify Backup Vault panel, turn on the Immutable Backup switch.

Important
After immutable backup is enabled, the backup vault and all its backup data cannot be deleted before the retention period expires. Once enabled, this feature cannot be disabled.
In the confirmation dialog box, click Confirmation.
In the Modify Backup Vault panel, click OK.

Method 2: During policy creation

Log on to the Cloud Backup console.
In the navigation pane on the left, choose Backup > Policy Center.
In the top navigation bar, select a region.
On the Policy Center page, click Create Backup Policy.
In the Create Backup Policy panel, turn on the Immutable Backup switch. Configure other parameters as required. For more information about the parameters, see Parameter description.

Important
Both General Backup Policy and ECS Instance Backup Policy support immutable backups. After you enable Immutable Backup, the backup vault and all the backup data in the vault cannot be deleted before they automatically expire. After an immutable backup is enabled, it cannot be disabled.

The Immutable Backup switch is in the Data Security section of the Backup Data Management area in the Create Backup Policy panel.
In the Create Backup Policy panel, click OK.

After the operation is complete, Locked is displayed in the Data Lock Mode column for the target backup vault.

Enable immutable archive

Log on to the Cloud Backup console.
In the navigation pane on the left, click Storage Vaults.
Find the target archive vault. In the Actions column, choose More > Configure Archive Vault.
In the Configure Archive Vault panel, turn on the Immutable Archive switch.

Important
After immutable archive is enabled, the archive vault and all its archived data cannot be deleted before the retention period expires. Once enabled, this feature cannot be disabled.
In the confirmation dialog box, click Confirmation.

The confirmation message states that the archive vault and its data cannot be deleted until the retention period expires.
In the Configure Archive Vault panel, click OK.
After the operation is complete, Locked is displayed in the Data Lock Mode column for the target archive vault. After you enable immutable archive, the system displays a Locked tag and the retention period (for example, Retention: 2 Years) for the archive vault in the list.

FAQ

In the Storage Vaults Modify Backup Vault panel, why can't I find the Immutable Backup feature?

The immutable backup feature can be enabled only for backup vaults of the General Backup and Database Backup types. This feature is not supported for backup vaults for which the Storage Vault Type is NAS Backup (Free for 30 days), OSS Backup (Free for 30 days), or Tablestore Backup (Free for 30 days).

Disabling the immutable backup feature

No. Once enabled, the immutable backup feature cannot be disabled. After the feature is enabled, the backup vault and its backup data cannot be deleted before the retention period expires. Normal backup and recovery operations are not affected.

Cloud Backup:Immutable backup