Skip to main content

What SnapLock is

Contributors netapp-lenida netapp-ahibbard netapp-thomi netapp-aherbin netapp-forry

SnapLock is a high-performance compliance solution for organizations that use WORM storage to retain files in unmodified form for regulatory and governance purposes.

SnapLock helps to prevent deletion, change, or renaming of data to meet regulations such as SEC 17a-4, HIPAA, FINRA, CFTC, and GDPR. With SnapLock, you can create special-purpose volumes in which files can be stored and committed to a non-erasable, non-writable state either for a designated retention period or indefinitely. SnapLock allows this retention to be performed at the file level through standard open file protocols such as CIFS and NFS. The supported open file protocols for SnapLock are NFS (versions 2, 3, and 4) and CIFS (SMB 1.0, 2.0, and 3.0).

Using SnapLock, you commit files and Snapshot copies to WORM storage, and set retention periods for WORM-protected data. SnapLock WORM storage uses NetApp Snapshot technology and can leverage SnapMirror replication, and SnapVault backups as the base technology for providing backup recovery protection for data. Learn more about WORM storage: Compliant WORM storage using NetApp SnapLock - TR-4526.

You can use an application to commit files to WORM over NFS or CIFS, or use the SnapLock autocommit feature to commit files to WORM automatically. You can use a WORM appendable file to retain data that is written incrementally, like log information. For more information see Use volume append mode to create WORM appendable files.

SnapLock supports data protection methods that should satisfy most compliance requirements:

  • You can use SnapLock for SnapVault to WORM-protect Snapshot copies on secondary storage. See Commit Snapshot copies to WORM.

  • You can use SnapMirror to replicate WORM files to another geographic location for disaster recovery. See Mirror WORM files.

SnapLock is a license-based feature of NetApp ONTAP. A single license entitles you to use SnapLock in strict Compliance mode, to satisfy external mandates like SEC Rule 17a-4, and a looser Enterprise mode, to meet internally mandated regulations for the protection of digital assets. SnapLock licenses are part of the ONTAP One software suite.

SnapLock is supported on all AFF and FAS systems as well as ONTAP Select. SnapLock is not a software-only solution; it is an integrated hardware and software solution. This distinction is important for strict WORM regulations such as SEC 17a-4, which requires an integrated hardware and software solution. For more information, refer to SEC Interpretation: Electronic Storage of Broker-Dealer Records.

SnapLock Compliance and Enterprise modes

SnapLock Compliance and Enterprise modes differ mainly in the level at which each mode protects WORM files:

SnapLock mode

Protection level

WORM file deleting during retention

Compliance mode

At the file level

Cannot be deleted

Enterprise mode

At the disk level

Can be deleted by the compliance administrator using an audited “privileged delete” procedure

After the retention period has elapsed, you are responsible for deleting any files you no longer need. Once a file has been committed to WORM, whether under Compliance or Enterprise mode, it cannot be modified, even after the retention period has expired.

You cannot move a WORM file during or after the retention period. You can copy a WORM file, but the copy will not retain its WORM characteristics.

The following table shows the differences in capabilities supported by SnapLock Compliance and Enterprise modes:

Capability

SnapLock Compliance

SnapLock Enterprise

Enable and delete files using privileged delete

No

Yes

Reinitialize disks

No

Yes

Destroy SnapLock aggregates and volumes during retention period

No

Yes, with the exception of the SnapLock audit log volume

Rename aggregates or volumes

No

Yes

Use non-NetApp disks

No

Use the SnapLock volume for audit logging

Yes

Yes, beginning with ONTAP 9.5

Supported and unsupported features with SnapLock

The following table shows the features that are supported with SnapLock Compliance mode, SnapLock Enterprise mode, or both:

Feature

Supported with SnapLock Compliance

Supported with SnapLock Enterprise

Consistency Groups

No

No

Encrypted volumes

Yes, beginning with ONTAP 9.2. Learn more about Encryption and SnapLock.

Yes, beginning with ONTAP 9.2. Learn more about Encryption and SnapLock.

FabricPools on SnapLock aggregates

No

Yes, beginning with ONTAP 9.8. Learn more about FabricPool on SnapLock Enterprise aggregates.

Flash Pool aggregates

Yes, beginning with ONTAP 9.1.

Yes, beginning with ONTAP 9.1.

FlexClone

You can clone SnapLock volumes, but you cannot clone files on a SnapLock volume.

You can clone SnapLock volumes, but you cannot clone files on a SnapLock volume.

FlexGroup volumes

Yes, beginning with ONTAP 9.11.1. Learn more about FlexGroup volumes.

Yes, beginning with ONTAP 9.11.1. Learn more about FlexGroup volumes.

LUNs

No. Learn more about LUN support with SnapLock.

No. Learn more about LUN support with SnapLock.

MetroCluster configurations

Yes, beginning with ONTAP 9.3. Learn more about MetroCluster support.

Yes, beginning with ONTAP 9.3. Learn more about MetroCluster support.

Multi-admin verification (MAV)

Yes, beginning with ONTAP 9.13.1. Learn more about MAV support.

Yes, beginning with ONTAP 9.13.1. Learn more about MAV support.

SAN

No

No

Single-file SnapRestore

No

Yes

SnapMirror Business Continuity

No

No

SnapRestore

No

Yes

SMTape

No

No

SnapMirror Synchronous

No

No

SSDs

Yes, beginning with ONTAP 9.1.

Yes, beginning with ONTAP 9.1.

Storage efficiency features

Yes, beginning with ONTAP 9.9.1. Learn more about storage efficiency support.

Yes, beginning with ONTAP 9.9.1. Learn more about storage efficiency support.

FabricPool on SnapLock Enterprise aggregates

FabricPools are supported on SnapLock Enterprise aggregates beginning with ONTAP 9.8. However, your account team needs to open a product variance request documenting that you understand that FabricPool data tiered to a public or private cloud is no longer protected by SnapLock because a cloud admin can delete that data.

Note

Any data that FabricPool tiers to a public or private cloud is no longer protected by SnapLock because that data can be deleted by a cloud administrator.

FlexGroup volumes

SnapLock supports FlexGroup volumes beginning with ONTAP 9.11.1; however, the following features are not supported:

  • Legal-hold

  • Event-based retention

  • SnapLock for SnapVault (supported beginning with ONTAP 9.12.1)

You should also be aware of the following behaviors:

  • The volume compliance clock (VCC) of a FlexGroup volume is determined by the VCC of the root constituent. All non-root constituents will have their VCC closely synced to the root VCC.

  • SnapLock configuration properties are set only on the FlexGroup as a whole. Individual constituents cannot have different configuration properties, such as default retention time and autocommit period.

LUN support

LUNs are supported in SnapLock volumes only in scenarios where Snapshot copies created on a non-SnapLock volume are transferred to a SnapLock volume for protection as part of SnapLock vault relationship. LUNs are not supported in read/write SnapLock volumes. Tamperproof Snapshot copies however are supported on both SnapMirror source volumes and destination volumes that contain LUNs.

MetroCluster support

SnapLock support in MetroCluster configurations differs between SnapLock Compliance mode and SnapLock Enterprise mode.

SnapLock Compliance
  • Beginning with ONTAP 9.3, SnapLock Compliance is supported on unmirrored MetroCluster aggregates.

  • Beginning with ONTAP 9.3, SnapLock Compliance is supported on mirrored aggregates, but only if the aggregate is used to host SnapLock audit log volumes.

  • SVM-specific SnapLock configurations can be replicated to primary and secondary sites using MetroCluster.

SnapLock Enterprise
  • Beginning with ONTAP 9, SnapLock Enterprise aggregates are supported.

  • Beginning with ONTAP 9.3, SnapLock Enterprise aggregates with privileged delete are supported.

  • SVM-specific SnapLock configurations can be replicated to both sites using MetroCluster.

MetroCluster configurations and compliance clocks

MetroCluster configurations use two compliance clock mechanisms, the Volume Compliance Clock (VCC) and the System Compliance Clock (SCC). The VCC and SCC are available to all SnapLock configurations. When you create a new volume on a node, its VCC is initialized with the current value of the SCC on that node. After the volume is created, the volume and file retention time is always tracked with the VCC.

When a volume is replicated to another site, its VCC is also replicated. When a volume switchover occurs, from Site A to Site B, for example, the VCC continues to be updated on Site B while the SCC on Site A halts when Site A goes offline.

When Site A is brought back online and the volume switchback is performed, the Site A SCC clock restarts while the VCC of the volume continues to be updated. Because the VCC is continuously updated, regardless of switchover and switchback operations, the file retention times do not depend on SCC clocks and do not stretch.

Multi-admin verification (MAV) support

Beginning with ONTAP 9.13.1, a cluster administrator can explicitly enable multi-admin verification on a cluster to require quorum approval before some SnapLock operations are executed. When MAV is enabled, SnapLock volume properties such as default-retention-time, minimum-retention-time, maximum-retention-time, volume-append-mode, autocommit-period and privileged-delete will require quorum approval. Learn more about MAV.

Storage efficiency

Beginning with ONTAP 9.9.1, SnapLock supports storage efficiency features, such as data compaction, cross-volume-deduplication, and adaptive compression for SnapLock volumes and aggregates. For more information about storage efficiency, see Logical storage management overview with the CLI.

Encryption

ONTAP offers both software- and hardware-based encryption technologies for ensuring that data at rest cannot be read if the storage medium is repurposed, returned, misplaced, or stolen.

Disclaimer: NetApp cannot guarantee that SnapLock-protected WORM files on self-encrypting drives or volumes will be retrievable if the authentication key is lost or if the number of failed authentication attempts exceeds the specified limit and results in the drive being permanently locked. You are responsible for ensuring against authentication failures.

Note

Beginning with ONTAP 9.2, encrypted volumes are supported on SnapLock aggregates.

7-Mode Transition

You can migrate SnapLock volumes from 7-Mode to ONTAP by using the Copy-Based Transition (CBT) feature of the 7-Mode Transition Tool. The SnapLock mode of the destination volume, Compliance or Enterprise, must match the SnapLock mode of the source volume. You cannot use Copy-Free Transition (CFT) to migrate SnapLock volumes.