5 1 0:Configuring Si3 Deduplication Store with Object Lock
Overview
When backing up your data to the S3 (Amazon Simple Storage Solution) cloud storage, Wasabi cloud storage, or other S3-compatible cloud implementation, you can use the Object Lock function to protect your data from alteration or deletion. Object Lock is a data protection feature and enables you to customize immutability of the backup objects. The retention time can be set for a fixed amount of time or indefinitely, and no one can change, delete or overwrite a backup object until its retention time is expired.
Immutable objects remain immutable until the end of their retention time. Cloud storage offers two retention modes:
- Governance mode - users with a special permission (for example, root user) can reduce the retention time. This mode is used by SEP sesam.
- Compliance mode - retention time of a protected file or object cannot be shortened by any user.
SEP sesam is using object retention in governance mode. In governance mode SEP sesam backup user can add or extend the retention period on an object, and cannot shorten or remove it. In case the retention period is set incorrectly (for example 100 years), the user with user right BypassGovernanceRetention can change this setting.
S3 Object Lock works in buckets with enabled versioning. An object lock is placed on an individual object version and new object versions can be created, each version locked according to configured retention period.
Note | |
Enabling the Object Lock function on S3 may increase the storage space required for backups. |
S3 Object Lock also provides two modes of managing object retention that can be combined or used independently:
- retention period - specifies a fixed period of time during which an object remains locked and can't be overwritten or deleted.
- legal hold - has no expiration date and remains in place until you explicitly remove it. Legal holds are independent from retention periods.
SEP sesam is not using legal hold option. Legal hold can be placed on objects in the cloud storage management console.
Configuration of Si3 store with Object Lock
SEP sesam enables you to configure the Si3 data store with enabled Object Lock function. For general information on Si3 data store configuration and prerequisites, see Configuring Si3 Deduplication Store. This section deals only with the specific information on configuring the Si3 data store that is using the Object Lock function.
Note | |
This procedure involves configuration steps that are performed on the cloud storage management console. These steps provide only the basic information, for more detailed explanations and instructions refer to the documentation of your cloud storage provider. For example:
|
For information on configuring media pools, backing up to S3 cloud storage, and purging data on S3 cloud storage, see Backup to S3 Cloud Storage.
Create a policy
A policy defines the user permissions for buckets in your cloud storage and can be assigned to a user, group, or role. Policies are in JSON format.
In your cloud storage management console create a policy <policy_name>, for example, Si3LockSesam. SEP sesam requires the policy settings as shown below. Edit the JSON policy statement accordingly.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectRetention",
"s3:PutObjectRetention",
"s3:ListBucketVersions",
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:DeleteObjectVersion",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
}
]
}
Creating a policy on S3
- On S3, in IAM Management Console, select Policies in the menu and then click Create policy.
- Switch to JSON tab and insert the SEP sesam policy statement (above).
- Follow the wizard to complete the procedure. For more information see Creating IAM policies.
Creating a policy on Wasabi
- On Wasabi, in Wasabi Management Console, select Policies in the menu and then click Create policy.
- Enter the <policy_name> and insert the SEP sesam policy statement (above).
- Complete the procedure. For more information see Creating a Policy.
Create a user for backup
To access the cloud storage bucket and back up the objects in the bucket, SEP sesam requires a dedicated user account for backup. In your cloud storage management console create a user <user_name>, for example, Si3Sesam. Select the programatic access and attach the SEP sesam policy statement to this user.
Follow the recommendation and use your root user credentials only to create the user for backup.
Creating a user for backup on S3
- On S3, in IAM Management Console, select Users in the menu and then click Add users.
- Enter the <user_name> and select the option Access key - Programmatic access. Click Next.
- In the Set permissions window, click Attach existing policy directly.
- Select the check-mark in front of your policy (Si3LockSesam) to attach it to the user for backup. Click Next.
- Follow the wizard to complete the procedure. For more information see IAM users.
Note | |
AWS access keys consist of an access key ID and a secret access key. Both keys are required to authenticate access. These credentials are also required to create an Si3 data store for S3.
The S3 credentials are stored encrypted (not in plain text) in the ini file. |
For more information and procedures see the AWS Identity and Access Management documentation.
Creating a user for backup on Wasabi
- On Wasabi, in Wasabi Management Console, select Users in the menu and then click Create user.
- Enter the <user_name> and under Type of Access select the option Programmatic (create API key). Click Next.
- In the Policies window, find and select your policy (Si3LockSesam) to attach it to the user for backup. Click Next.
- Complete the procedure. For more information see Creating a User.
Create a bucket
The term bucket is used to describe the container for backup data. To use the Object Lock function, the cloud storage bucket must have versioning enabled.
In your cloud storage management console create a bucket <bucket_name>, for example, si3sesamlock. Enable bucket versioning and Object Lock functions.
Note | |
Uppercase characters and special characters are not permitted in the bucket name. Bucket name must be DNS-compliant. For more information refer to Bucket naming rules. |
Creating a bucket on S3
- On S3, in S3 Management Console, select Buckets in the menu and then click Create bucket.
- Enter the <bucket_name>.
- In the Bucket Versioning section, enable Bucket Versioning.
- Expand the Advanced settings section and enable Object Lock.
- Complete the procedure. For more information see Creating a Bucket.
Creating a bucket on Wasabi
- On Wasabi, in Wasabi Management Console, select Buckets in the menu and then click Create bucket.
- Enter the <bucket_name> and select the region (geographic location) where you want your bucket to reside. Click Next.
- In the Set Properties window, enable Bucket Versioning and Object Locking. Click Next.
- Complete the procedure. For more information see Creating a Bucket.
Configure the Si3 deduplication store with Object Lock
Configuring the Si3 deduplication store that uses S3 with Object Lock function involves creating a new data store for your S3 bucket, setting the drive parameters and data store size properties. This section deals only with the specific information on configuring the Object Lock.
- In the Main selection -> Components, click Data Stores and then select New Data Store.
- From the Data Stores menu, select New Data Store. A New Data Store dialog appears.
- Configure the data store as required. For details refer to Configuring Si3 Deduplication Store.
- Right-click the newly created S3 data store and the click Properties.
- In the Storage Backend tab, select the option Enable Object lock and then enter the retention time in days in the Object lock retention time field.
Note | |
Object lock retention time setting defines Object Lock retention period in days. Si3 periodically extends locks on objects and pages. Every version of objects and pages is preserved and Si3 is periodically removing versions older than retention time days. |
Modifying retention period
SEP sesam backup user can add or extend the retention period on an object. To extend the retention period, change the Object lock retention time setting in the Storage Backend tab. The retention period is recalculated for all objects in the S3 bucket.
You can also shorten the Object lock retention time setting. In this case, new retention period is immediately valid for new objects, and the retention period on existing objects is recalculated only after the previously set retention period is shorter than the new one.
See also
Configuring Si3 Deduplication Store – Encrypting Si3 Deduplication Store – Backup to S3 Cloud Storage – Standard Backup Procedure – Standard Restore Procedure – Licensing