What is Object Lock?
Object Lock is a feature that allows Veeam users to make data immutable by preventing a file from being changed or deleted until a given date. This helps to protect files stored in Backblaze B2 Cloud Storage from threats like ransomware which could potentially encrypt or remove files you intend to keep.
How does Object Lock work?
Object Lock must be enabled on a bucket at the time the bucket is created. For files going into a bucket with Object Lock enabled, there are two ways to lock them. First, you can set a date when you upload the file as part of the call to our API. Second, you can set a date on a file that is already uploaded. For both methods, you must set a date to lock the file until and which mode you want to use. Attempts to delete the file or make any changes to it before the set date will fail. While you can use the second method to extend the lock on a file, you cannot use it to shorten the lock.
The majority of users will never have to interact with the API at all - integrations like Veeam will simply ask how long you want your files to be immutable and enable that functionality behind the scenes for you.
Does Object Lock with Backblaze work the same way as it does with AWS?
From a functionality standpoint, Object Lock with Backblaze B2 Cloud Storage works the same way as it does with AWS. Files will be locked until the date a user sets on the file.
Is there an extra cost to use Object Lock?
There is no extra cost to use Object Lock, however you are responsible for the normal charges associated with storing the locked file.
Can Object Lock be enabled later on?
The Bucket that a file is in must have Object Lock enabled in order to use Object Lock on that file. The only option to enable Object Lock on a Bucket is when you make the bucket for the first time. This means you cannot enable Object Lock on any file in a Bucket that was not created with Object Lock enabled and it cannot be turned on after the fact. We have mimicked this behavior from AWS.
What happens if I made a mistake and locked a file for longer than I wanted?
If you have locked your file for longer than you intended then you will need to cancel your B2 account by contacting our support team. In the event that you wish to close your account, please note that any data subject to the object lock feature cannot be deleted until such functionality becomes available which is currently targeted for Q1 2021.
Can I use Immutability with Veeam?
Yes, Object Lock in B2 Cloud Storage was designed with the Immutability feature in Veeam Backup & Replication in mind. If you have enabled Object Lock on a bucket on your account you can follow our guide on how to setup Veeam with B2 Cloud Storage.
Can I use Object Lock on a bucket that does not have it enabled?
No, Object Lock can only be used on a bucket that has Object Lock enabled.
Can I use Object Lock with the B2 CLI/AWS CLI?
Since Object Lock is currently only supported via the S3 Compatibility API, you cannot use the Backblaze B2 Native API to lock files with Object Lock at this time. Locking files via the AWS CLI is supported. Here is an example of how to create a bucket with Object Lock enabled and upload a file to Backblaze B2 with an Object Lock, then check the retention period for that file:
Creating a Bucket:
aws s3api create-bucket --bucket <bucketname> --object-lock-enabled-for-bucket --endpoint-url <S3 Endpoint>
Upload a File:
aws s3api put-object --bucket <bucketname> --key <filename> --body <local_filename> --object-lock-mode COMPLIANCE --object-lock-retain-until-date "YYYY-MM-DD HH:MI:SS" --endpoint-url <S3 Endpoint>
Check Object Retention:
aws s3api get-object-retention --bucket <bucketname> --key <filename> --endpoint-url <S3 Endpoint>
Can I only use Object Lock with the S3 Compatibility API?
Object Lock is currently only available via the S3 Compatibility API. Support for Object Lock via the Backblaze B2 Native API will be released at a later date.
Why was Object Lock not enabled for the Backblaze B2 Native API?
The main focus of our initial implementation of Object Lock was to support Immutability in Veeam Backup & Replication. While this certainly has other use cases, this will enable users who are familiar with the S3 API Protocol already to easily continue using Object Lock with B2 Cloud Storage. We are currently working on implementing the remaining two Object Lock modes (governance and legal hold) as well as support for Object Lock in the B2 Native API.