Backblaze B2 Cloud Storage Object Lock lets you make data immutable by preventing a file from being changed or deleted until a given date to protect data that is stored in Backblaze B2 from threats like ransomware or for regulatory compliance.
Enabling Object Lock
You can enable Object Lock when you create a bucket, on an existing bucket, or as a one-time operation using the
b2_update_bucket API call. However, after you enable Object Lock on a bucket, you cannot disable this setting. You can assign Object Lock settings to the files in an Object Lock-enabled bucket before or after you upload the files. If you delete the files or make any changes to the files before the end of the retention period, deletion fails. You cannot enable Object Lock on a restricted bucket, for example, shared buckets or snapshots, or on a bucket that contains a source replication configuration. The number of days that Object Lock is supported is between one and 3,000 days.
Retention Settings and Legal Hold
You can configure Object Lock retention settings in either governance or compliance mode. Object Lock retention settings for files that are protected in governance mode can be modified or overridden by clients with appropriate app key capabilities. Object Lock retention settings for files that are protected in compliance mode cannot be removed by any user, but their retention dates can be extended by clients with appropriate app key capabilities.
Additionally, Object Lock can protect files from deletion with a legal hold, which is not bound by a predetermined expiration date. Legal hold protections are configured separately from governance- or compliance-mode retention settings.
Legal hold and retention settings function independently to protect Backblaze B2 files from unwanted deletion. If either legal hold or retention settings, or even both, are active for a given file, then that file is protected from being deleted.
Default Bucket Retention
You must enable Object Lock when you create a bucket to configure default bucket retention settings. To set default Object Lock retention settings for all of the files that you upload to an Object Lock-enabled bucket, configure default bucket retention settings for that bucket. All of the files that are uploaded or copied to that bucket, from that time on, are protected by those Object Lock retention settings by default. You can override the default settings for individual files at upload time and, in some cases, after upload.
Existing files in the bucket are not affected by updated default bucket retention settings, and you cannot enable a legal hold by default at the bucket level. If you do not configure default retention settings on the bucket, the uploaded files are not protected by Object Lock by default.
Replica files are created with the same upload timestamp as their source file. If the destination bucket has a default Object Lock retention period set, the retention period is calculated based on the timestamp that is inherited from the source file.
Permissions to read and write default bucket retention settings are determined by the
writeBucketRetentions app key capabilities, respectively.
Object Lock FAQ
This section answers some frequently asked questions about Object Lock.
How does Object Lock work?
You can enable Object Lock when you create a bucket, or you can enable it on an existing bucket. There are two ways to lock the files that you upload to an Object Lock-enabled bucket. First, you can set a date when you upload the file as part of the call to a Backblaze B2 API. You can also set a date on a file that you already uploaded. For both methods, you must set a date to lock the file and which mode you want to use. Attempts to delete the file or make any changes to it before the set date will fail. While you can use the second method to extend the lock on a file, you cannot use it to shorten the lock.
The majority of users will not have to interact with the API. Integrations like Veeam simply ask how long you want your files to be immutable, and they enable that functionality behind the scenes for you.
With Default Bucket Retention, Object Lock is enabled for a specified retention period on files that you upload or copy into a bucket.
With Object Lock Legal Hold, files are prevented from being changed or deleted, but the immutability does not have a defined retention period. A file is immutable until Object Lock Legal Hold is removed.
For syncing files from a Network Attached Storage (NAS) device, use the Native API.
Does Object Lock with Backblaze work the same way as it does with AWS?
From a functionality standpoint, Object Lock with Backblaze B2 works the same way as it does with AWS. Files are locked until the date you set on the file.
Is there an extra cost to use Object Lock?
There is no extra cost to use Object Lock. However, you are responsible for the normal charges that are associated with storing the locked file.
Can you enable Object Lock on an existing bucket?
Yes. You can enable Object Lock on a bucket when you create a new bucket or on an existing bucket. After Object Lock is enabled, the files that are in that bucket and the files that you upload after the enablement are eligible to be locked. At this time, you can use the S3-Compatible API, the Native API, the Backblaze B2 SDKs, and the command-line interface (CLI) to enable Object Lock.
What happens if I made a mistake and locked a file for longer than I wanted?
If you locked your file for longer than you intended, you need to close your Backblaze B2 account. For assistance in closing your Backblaze B2 account, see either Canceling and Deleting a Backblaze Account.
Can I use Immutability with Veeam?
Yes, Object Lock in Backblaze B2 was designed with the Immutability feature in Veeam Backup & Replication in mind. If you enabled Object Lock on a bucket on your account, click here to learn how to set up Veeam with Backblaze B2.
Can I use Object Lock on a bucket that does not have it enabled?
No, Object Lock can be used only on a bucket that has Object Lock enabled.
Can I use Object Lock with the Backblaze B2 CLI/AWS CLI?
Here is an example of how to create a bucket with Object Lock enabled and upload a file to Backblaze B2 with an Object Lock. You can then check the retention period for that file.
Create a bucket:
aws s3api create-bucket --bucket <bucketname> --object-lock-enabled-for-bucket --endpoint-url <S3 Endpoint>
Upload a file:
aws s3api put-object --bucket <bucketname> --key <filename> -->body <local_filename> --object-lock-mode COMPLIANCE --object-lock-retain-until-date "YYYY-MM-DD HH:MI:SS" --endpoint-url <S3 Endpoint>
Check object retention:
aws s3api get-object-retention --bucket <bucketname> --key <filename> --endpoint-url <S3 Endpoint>
Can I use Object Lock only with the S3-Compatible API?
What happens after the end of the retention period?
After the Object Lock retention period expires, you can change or delete a file.
Will Object Lock affect any other bucket or lifecycle settings?
Yes. When a file is locked, lifecycle settings or an integration setting attempting to change or delete the file will fail.
Can you enable Object Lock using only the Backblaze web UI? If not, how can it be otherwise enabled?
You can enable Object Lock using the API or the Backblaze web UI. You can also enable Default Bucket Retention and Object Lock Legal Hold through the Backblaze web UI.
Can you enable Object Lock Legal Hold for multiple files at the same time?
No, you can apply Object Lock Legal Hold on only one file at a time when you upload or update a file.