> Expert > CommCell Management > Security > Ransomware Monitoring and Hardening > Ransomware Protection > Configuring WORM Storage Mode on Cloud Storage

Configuring WORM Storage Lock

You can configure WORM storage lock in Commvault using the following procedure.

Before You Begin

Before configuring WORM storage lock and compliance lock, make sure to perform the following:

Create or configure the following in cloud storage:

Note

For information on permissions to configure cloud storages, see Creating a Cloud Storage Library.

Vendor

Before You Begin Tasks

Amazon S3

Note

Disable default retention when object lock is enabled.

  • Verify that the PutObjectRetention permission is assigned to the bucket along with the other permissions needed to configure Amazon S3. For more information about the other permissions, see the Amazon S3 pages.

  • Commvault uses Compliance mode with object lock on AWS S3.

  • For a bucket with versioning enabled, you must have the DeleteObjectVersion permission to delete versioned objects.

S3 Compatible
  • Same tasks as Amazon S3
  • Commvault uses Compliance mode with object lock on S3 Compatible.
  • Disable default retention when object lock is enabled or set retention days to 0.
  • Additionally, you should configure life cycle policy to remove delete markers.

Google Cloud Storage

Create a bucket in Google Cloud Storage.

Note

From Commvault Platform Release 2024 (11.34), Commvault supports object lock on Google Cloud Storage, but only for new storage buckets. Upgraded storage buckets remain bucket lock enabled.

Microsoft Azure Storage

  • Create a storage account and a container with version-level immutability support in Microsoft Azure Storage.

    Create a lifecycle rule to clean up previous versions of the deleted objects. For more information, see Blob versioning and Optimize costs by automatically managing the data lifecycle.

  • Verify that the Storage Blob Data Owner role is assigned in Azure to use the WORM storage functionality.

Configure the bucket/container in Commvault software as follows:

1. Configure a cloud storage pool using the cloud bucket/container.

2. Configure a storage policy with the configured cloud storage pool.

  • Configure an internal mail server.

  • We recommend not to use extended retention on WORM-enabled storage pools.

    Note

    For a bucket with versioning enabled, you must have the DeleteObjectVersion permission to delete versioned objects.

Procedure for Enabling WORM Storage Lock

  1. From the CommCell Browser, go to Storage Resources > Storage Pools.

  2. Right-click the desired <Storage Pool>, and select Properties > Storage Pool Copy.

  3. Select the box for WORM storage lock to enable it.

    Notes

    • This action also enables compliance lock on all associated backup destinations.

    • This action is irreversible and you cannot lower the retention on WORM storage lock enabled copy.

    • If you enabled WORM storage lock unintentionally, we recommend you to create a new storage pool with a new storage pointing to a new container or bucket.

  4. To define retention period (for a deduplication enabled storage pool), enter the number of days to retain the data in the Retain for [] Days box.

    Note

    Retention on storage pool is applicable only when storage WORM property is set.

    By default, the Create new DDB every [] days option is selected for deduplication enabled storage pools which denotes the DDB seal frequency. The DDB seal frequency is set to the same number as of retention days in the associated storage pool, with a minimum of 7 days and maximum of 365 days.

    • For a non-deduplication enabled storage pool, retention is defined from dependant storage policy copies or plan copies.

    • WORM Lock: Displays the number of days for the WORM lock. It is the sum of the retention of the storage policy pool copy and the DDB seal frequency.

  5. Click OK.

  6. Enter the confirmation text string, and then click OK.

The following settings are enabled in Commvault:

  • The WORM storage lock and compliance lock on the selected storage pool, and compliance lock on all the dependant copies of the selected storage pool.

  • For deduplication enabled storage pools, the seal frequency of the deduplication database (DDB) is enabled.

    • DDB is set to seal after n days, where n is set to the same number of days as retention set in the storage pool with a minimum of 7 days and a maximum of 365 days.

      For example:

      • For a retention lower or equal to 7 days, the DDB seal frequency is set to 7 days.
      • If the retention is set for 60 days in the storage pool, the seal frequency for the DDB is also set to 60 days.
      • For retention higher than 365 days, the DDB seal frequency is set to 365 days.

    • Commvault uses WORM lock days which is defined as the sum of storage pool retention in days and DDB sealing frequency.

    • For non-deduplication storage pools, WORM lock days is same as of storage pool retention.

      For example, if retention is set for 60 days of the storage pool, then WORM lock days for objects at the bucket/container is also set to 60 days.

  • Micro pruning is disabled for the cloud storage that has WORM enabled. For cloud storage with WORM, you must use macro pruning. Data that have met retention will be identified and made irrecoverable as part of the daily data aging operations.

  • Applying of WORM settings on objects:

    • Object Lock:

      • Each object will be locked as per the Commvault WORM lock days computed during the write operation to the storage and will be locked till that day.

    • Bucket Lock:

      • Commvault will write data and objects will be locked as per the retention days set on the bucket/container on cloud vendor side.

  • When Commvault deletes a file, data aging will clean up all versions including delete markers.

    • The delete marker acts as a placeholder indicating that the object that was there once, has been deleted. The primary purpose of the delete markers is to simplify the management and versioning of objects.
    • For some S3 compatible storage vendors, you may need to create a life cycle rule to cleanup delete marker.

    Note

    Associating DDB backups and index backups to WORM copies is not recommended.

Loading...