Immutable Backup Records

AWS S3 and some S3-compatible storage providers like Backblaze B2, Minio, and Wasabi (starting in May 2021) offer a feature called “object lock”. Arq can use this feature to make your backup records immutable and therefore immune from ransomware attacks.

Arq locks your backup data for as long as you choose.

Arq can still perform budget, retention and object cleanup functions. It just can’t remove items until their locks expire.

Once you’ve locked data, there’s no way to unlock it or delete it until the lock expires, so choose your lock duration carefully!

Set Up Immutable Backups with Object Lock

  1. Choose S3 or an S3-compatible storage provider that supports the object lock API, such as B2 (using the S3-compatible API) or Wasabi (starting in May 2021).

  2. Create a new bucket and enable object lock on the bucket.

  3. Add that bucket as a storage location in Arq.

  4. Create a backup plan using that storage location.

  5. Edit your backup plan, click the Immutable tab, and check the ‘Make latest backup record immutable’ checkbox.

    • Choose the minimum number of days to make the latest backup record immutable.
    • Choose the interval for refreshing the immutability of objects.

Ongoing Lock Maintenance

Arq de-duplicates data, so each new backup record points to the same data as the previous backup record except for new/modified/deleted items. Because of this, Arq refreshes the locks on objects it’s reusing.

When Arq uploads a new object, it sets the (latest version of) the object’s lock to expire to the today’s date + the chosen duration + 30 days.

For reused objects where the lock expiration is currently earlier than today’s date + the chosen duration, Arq resets the lock expiration to today’s date + the chosen duration + 30 days.

Ransomware Protection

If an extra-clever ransomware attack finds a way to access your backup data at S3/B2/Wasabi, it will be unable to permanently delete the backup data.

More on Object Lock and Object Versioning

Object lock also requires object versioning is enabled on the bucket. When an object is “deleted”, S3 creates a “delete marker”. Normal queries for lists of objects don’t return that object, but queries for all versions of objects do.

Any attempt to “delete” a version that’s locked will fail with “access denied”, no matter what credentials are used.

If an attacker or anyone else “deletes” your object-locked data, they’re just creating “delete markers”. You can remove the delete markers to make your data visible again. We’ve written a small utility called “s3undelete” that can remove delete markers from any data set.