Skip to main content

Lock a snapshot for protection against ransomware attacks

Contributors netapp-lenida netapp-aaron-holt netapp-dbagwell johnlantz netapp-ahibbard netapp-mwallis netapp-aherbin

Beginning with ONTAP 9.12.1, you can lock a snapshot on a non-SnapLock volume to provide protection from ransomware attacks. Locking snapshots ensures that they can't be deleted accidentally or maliciously.

You use the SnapLock compliance clock feature to lock snapshots for a specified period so that they cannot be deleted until the expiration time is reached. Locking snapshots makes them tamperproof, protecting them from ransomware threats. You can use locked snapshots to recover data if a volume is compromised by a ransomware attack.

Beginning with ONTAP 9.14.1, snapshot locking supports long-term retention snapshots on SnapLock vault destinations and on non-SnapLock SnapMirror destination volumes. Snapshot locking is enabled by setting the retention period using SnapMirror policy rules associated with an existing policy label. The rule overrides the default retention period set on the volume. If there is no retention period associated with the SnapMirror label, the default retention period of the volume is used.

Tamperproof snapshot requirements and considerations
  • If you are using the ONTAP CLI, all nodes in the cluster must be running ONTAP 9.12.1 or later. If you are using System Manager, all nodes must be running ONTAP 9.13.1 or later.

  • The SnapLock license must be installed on the cluster. This license is included in ONTAP One.

  • The compliance clock on the cluster must be initialized.

  • When snapshot locking is enabled on a volume, you can upgrade the clusters to a version of ONTAP later than ONTAP 9.12.1; however, you cannot revert to an earlier version of ONTAP until all locked snapshots have reached their expiration date and are deleted and snapshot locking is disabled.

  • When a snapshot is locked, the volume expiry time is set to the expiry time of the snapshot. If more than one snapshot is locked, the volume expiry time reflects the largest expiry time among all snapshots.

  • The retention period for locked snapshots takes precedence over the snapshot keep count, which means the keep count limit is not honored if the snapshot retention period for locked snapshots has not expired.

  • In a SnapMirror relationship, you can set a retention period on a mirror-vault policy rule, and the retention period is applied for snapshots replicated to the destination if the destination volume has snapshot locking enabled. The retention period takes precedence over keep count; for example, snapshots that have not passed their expiry will be retained even if the keep count is exceeded.

  • You can rename a snapshot on a non-SnapLock volume. Snapshot rename operations on the primary volume of a SnapMirror relationship are reflected on the secondary volume only if the policy is MirrorAllSnapshots. For other policy types, the renamed snapshot is not propagated during updates.

  • If you are using the ONTAP CLI, you can restore a locked snapshot with the volume snapshot restore command only if the locked snapshot is the most recent. If there are any unexpired snapshots later than the one being restored, the snapshot restore operation fails.

Features supported with tamperproof snapshots
  • Cloud Volumes ONTAP

  • FlexGroup volumes

    Snapshot locking is supported on FlexGroup volumes. Snapshot locking occurs only on the root constituent snapshot. Deleting the FlexGroup volume is allowed only if the root constituent expiration time has passed.

  • FlexVol to FlexGroup conversion

    You can convert a FlexVol volume with locked snapshots to a FlexGroup volume. Snapshots remain locked after the conversion.

  • SnapMirror asynchronous

    The compliance clock must be initialized on both the source and destination.

  • SVM DR

    The compliance clock must be initialized on both the source and destination.

  • Volume clone and file clone

    You can create volume clones and file clones from a locked snapshot.

Unsupported features

The following features currently are not supported with tamperproof snapshots:

  • Consistency groups

  • FabricPool

    Tamperproof snapshots provide immutable protections that cannot be deleted. Because FabricPool requires the ability to delete data, FabricPool and snapshot locks cannot be enabled on the same volume.

  • FlexCache volumes

  • SMtape

  • SnapMirror active sync

  • SnapMirror policy rules using the -schedule parameter

  • SnapMirror synchronous

  • SVM data mobility (used for migrating or relocating an SVM from a source cluster to a destination cluster)

Enable snapshot locking when creating a volume

Beginning with ONTAP 9.12.1, you can enable snapshot locking when you create a new volume or when you modify an existing volume by using the -snapshot-locking-enabled option with the volume create and volume modify commands in the CLI. Beginning with ONTAP 9.13.1, you can use System Manager to enable snapshot locking.

System Manager
  1. Navigate to Storage > Volumes and select Add.

  2. In the Add Volume window, choose More Options.

  3. Enter the volume name, size, export policy and share name.

  4. Select Enable Snapshot locking. This selection is not displayed if the SnapLock license is not installed.

  5. If it is not already enabled, select Initialize SnapLock Compliance Clock.

  6. Save your changes.

  7. In the Volumes window, select the volume you updated and choose Overview.

  8. Verify that SnapLock Snapshot Locking displays as Enabled.

CLI
  1. To create a new volume and enable snapshot locking, enter the following command:

    volume create -vserver <vserver_name> -volume <volume_name> -snapshot-locking-enabled true

    The following command enables snapshot locking on a new volume named vol1:

    > volume create -volume vol1 -aggregate aggr1 -size 100m -snapshot-locking-enabled true
    Warning: snapshot locking is being enabled on volume “vol1” in Vserver “vs1”. It cannot be disabled until all locked snapshots are past their expiry time. A volume with unexpired locked snapshots cannot be deleted.
    Do you want to continue: {yes|no}: y
    [Job 32] Job succeeded: Successful

Enable snapshot locking on an existing volume

Beginning with ONTAP 9.12.1, you can enable snapshot locking on an existing volume using the ONTAP CLI. Beginning with ONTAP 9.13.1, you can use System Manager to enable snapshot locking on an existing volume.

System Manager
  1. Navigate to Storage > Volumes.

  2. Select Menu options icon and choose Edit > Volume.

  3. In the Edit Volume window, locate the Snapshots (Local) Settings section and select Enable snapshot locking.

    This selection is not displayed if the SnapLock license is not installed.

  4. If it is not already enabled, select Initialize SnapLock Compliance Clock.

  5. Save your changes.

  6. In the Volumes window, select the volume you updated and choose Overview.

  7. Verify that SnapLock snapshot locking displays as Enabled.

CLI
  1. To modify an existing volume to enable snapshot locking, enter the following command:

    volume modify -vserver <vserver_name> -volume <volume_name> -snapshot-locking-enabled true

Create a locked snapshot policy and apply retention

Beginning with ONTAP 9.12.1, you can create snapshot policies to apply a snapshot retention period and apply the policy to a volume to lock snapshots for the specified period. You can also lock a snapshot by manually setting a retention period. Beginning with ONTAP 9.13.1, you can use System Manager to create snapshot locking policies and apply them to a volume.

Create a snapshot locking policy

System Manager
  1. Navigate to Storage > Storage VMs and select a storage VM.

  2. Select Settings.

  3. Locate Snapshot Policies and select Arrow icon.

  4. In the Add Snapshot Policy window, enter the policy name.

  5. Select Add icon.

  6. Provide the snapshot schedule details, including the schedule name, maximum snapshots to keep, and SnapLock retention period.

  7. In the SnapLock Retention Period column, enter the number of hours, days, months or years to retain the snapshots. For example, a snapshot policy with a retention period of 5 days locks a snapshot for 5 days from the time it is created, and it cannot be deleted during that time. The following retention period ranges are supported:

    • Years: 0 - 100

    • Months: 0 - 1200

    • Days: 0 - 36500

    • Hours: 0 - 24

  8. Save your changes.

CLI
  1. To create a snapshot policy, enter the following command:

    volume snapshot policy create -policy <policy_name> -enabled true -schedule1 <schedule1_name> -count1 <maximum snapshots> -retention-period1 <retention_period>

    The following command creates a snapshot locking policy:

    cluster1> volume snapshot policy create -policy lock_policy -enabled true -schedule1 hourly -count1 24 -retention-period1 "1 days"

    A snapshot is not replaced if it is under active retention; that is, the retention count will not be honored if there are locked snapshots that have not yet expired.

Apply a locking policy to a volume

System Manager
  1. Navigate to Storage > Volumes.

  2. Select Menu options icon and choose Edit > Volume.

  3. In the Edit Volume window, select Schedule snapshots.

  4. Select the locking snapshot policy from the list.

  5. If snapshot locking is not already enabled, select Enable snapshot locking.

  6. Save your changes.

CLI
  1. To apply a snapshot locking policy to an existing volume, enter the following command:

    volume modify -volume <volume_name> -vserver <vserver_name> -snapshot-policy <policy_name>

Apply retention period during manual snapshot creation

You can apply a snapshot retention period when you manually create a snapshot. Snapshot locking must be enabled on the volume; otherwise, the retention period setting is ignored.

System Manager
  1. Navigate to Storage > Volumes and select a volume.

  2. In the volume details page, select the Snapshots tab.

  3. Select Add icon.

  4. Enter the snapshot name and the SnapLock expiration time. You can select the calendar to choose the retention expiration date and time.

  5. Save your changes.

  6. In the Volumes > Snapshots page, select Show/Hide and choose SnapLock Expiration Time to display the SnapLock Expiration Time column and verify that the retention time is set.

CLI
  1. To create a snapshot manually and apply a locking retention period, enter the following command:

    volume snapshot create -volume <volume_name> -snapshot <snapshot name> -snaplock-expiry-time <expiration_date_time>

    The following command creates a new snapshot and sets the retention period:

    cluster1> volume snapshot create -vserver vs1 -volume vol1 -snapshot snap1 -snaplock-expiry-time "11/10/2022 09:00:00"

Apply retention period to an existing snapshot

System Manager
  1. Navigate to Storage > Volumes and select a volume.

  2. In the volume details page, select the Snapshots tab.

  3. Select the snapshot, select Menu options icon, and choose Modify SnapLock Expiration Time. You can select the calendar to choose the retention expiration date and time.

  4. Save your changes.

  5. In the Volumes > Snapshots page, select Show/Hide and choose SnapLock Expiration Time to display the SnapLock Expiration Time column and verify that the retention time is set.

CLI
  1. To manually apply a retention period to an existing snapshot, enter the following command:

    volume snapshot modify-snaplock-expiry-time -volume <volume_name> -snapshot <snapshot name> -snaplock-expiry-time <expiration_date_time>

    The following example applies a retention period to an existing snapshot:

    cluster1> volume snapshot modify-snaplock-expiry-time -volume vol1 -snapshot snap2 -snaplock-expiry-time "11/10/2022 09:00:00"

Modify an existing policy to apply long-term retention

In a SnapMirror relationship, you can set a retention period on a mirror-vault policy rule, and the retention period is applied for snapshots replicated to the destination if the destination volume has snapshot locking enabled. The retention period takes precedence over keep count; for example, snapshots that have not passed their expiry will be retained even if the keep count is exceeded.

Beginning with ONTAP 9.14.1, you can modify an existing SnapMirror policy by adding a rule to set long-term retention of snapshots. The rule is used to override the default volume retention period on SnapLock vault destinations and on non-SnapLock SnapMirror destination volumes.

  1. Add a rule to an existing SnapMirror policy:

    snapmirror policy add-rule -vserver <SVM name> -policy <policy name> -snapmirror-label <label name> -keep <number of snapshots> -retention-period [<integer> days|months|years]

    The following example creates a rule that applies a retention period of 6 months to the existing policy called "lockvault":

    snapmirror policy add-rule -vserver vs1 -policy lockvault -snapmirror-label test1 -keep 10 -retention-period "6 months"