Skip to main content

Lock a Snapshot copy for protection against ransomware attacks

Contributors netapp-lenida netapp-dbagwell netapp-ahibbard netapp-aherbin netapp-aaron-holt netapp-mwallis

Beginning with ONTAP 9.12.1, you can lock a Snapshot copy on a non-SnapLock volume to provide protection from ransomware attacks. Locking Snapshot copies ensures that they can't be deleted accidentally or maliciously.

You use the SnapLock compliance clock feature to lock Snapshot copies for a specified period so that they cannot be deleted until the expiration time is reached. Locking Snapshot copies makes them tamperproof, protecting them from ransomware threats. You can use locked Snapshot copies to recover data if a volume is compromised by a ransomware attack.

Beginning with ONTAP 9.14.1, Snapshot copy locking supports long-term retention Snapshot copies on SnapLock vault destinations and on non-SnapLock SnapMirror destination volumes. Snapshot copy locking is enabled by setting the retention period using SnapMirror policy rules associated with an existing policy label. The rule overrides the default retention period set on the volume. If there is no retention period associated with the SnapMirror label, the default retention period of the volume is used.

Tamperproof Snapshot copy requirements and considerations
  • If you are using the ONTAP CLI, all nodes in the cluster must be running ONTAP 9.12.1 or later. If you are using System Manager, all nodes must be running ONTAP 9.13.1 or later.

  • The SnapLock license must be installed on the cluster. This license is included in ONTAP One.

  • The compliance clock on the cluster must be initialized.

  • When Snapshot locking is enabled on a volume, you can upgrade the clusters to a version of ONTAP later than ONTAP 9.12.1; however, you cannot revert to an earlier version of ONTAP until all locked Snapshot copies have reached their expiration date and are deleted and Snapshot copy locking is disabled.

  • When a Snapshot is locked, the volume expiry time is set to the expiry time of the Snapshot copy. If more than one Snapshot copy is locked, the volume expiry time reflects the largest expiry time among all Snapshot copies.

  • The retention period for locked Snapshot copies takes precedence over the Snapshot copy keep count, which means the keep count limit is not honored if the Snapshot copy retention period for locked Snapshot copies has not expired.

  • In a SnapMirror relationship, you can set a retention period on a mirror-vault policy rule, and the retention period is applied for Snapshot copies replicated to the destination if the destination volume has Snapshot copy locking enabled. The retention period takes precedence over keep count; for example, Snapshot copies that have not passed their expiry will be retained even if the keep count is exceeded.

  • You can rename a Snapshot copy on a non-SnapLock volume. Snapshot rename operations on the primary volume of a SnapMirror relationship are reflected on the secondary volume only if the policy is MirrorAllSnapshots. For other policy types, the renamed Snapshot copy is not propagated during updates.

  • If you are using the ONTAP CLI, you can restore a locked Snapshot copy with the volume snapshot restore command only if the locked Snapshot copy is the most recent. If there are any unexpired Snapshot copies later than the one being restored, the Snapshot copy restore operation fails.

Features supported with tamperproof Snapshot copies
  • Cloud Volumes ONTAP

  • FlexGroup volumes

    Snapshot copy locking is supported on FlexGroup volumes. Snapshot locking occurs only on the root constituent Snapshot copy. Deleting the FlexGroup volume is allowed only if the root constituent expiration time has passed.

  • FlexVol to FlexGroup conversion

    You can convert a FlexVol volume with locked Snapshot copies to a FlexGroup volume. Snapshot copies remain locked after the conversion.

  • Volume clone and file clone

    You can create volume clones and file clones from a locked Snapshot copy.

Unsupported features

The following features currently are not supported with tamperproof Snapshot copies:

  • Consistency groups

  • FabricPool

  • FlexCache volumes

  • SMtape

  • SnapMirror active sync

  • SnapMirror policy rules using the -schedule parameter

  • SnapMirror synchronous

  • SVM data mobility (used for migrating or relocating an SVM from a source cluster to a destination cluster)

Enable Snapshot copy locking when creating a volume

Beginning with ONTAP 9.12.1, you can enable Snapshot copy locking when you create a new volume or when you modify an existing volume by using the -snapshot-locking-enabled option with the volume create and volume modify commands in the CLI. Beginning with ONTAP 9.13.1, you can use System Manager to enable Snapshot copy locking.

System Manager
  1. Navigate to Storage > Volumes and select Add.

  2. In the Add Volume window, choose More Options.

  3. Enter the volume name, size, export policy and share name.

  4. Select Enable Snapshot locking. This selection is not displayed if the SnapLock license is not installed.

  5. If it is not already enabled, select Initialize SnapLock Compliance Clock.

  6. Save your changes.

  7. In the Volumes window, select the volume you updated and choose Overview.

  8. Verify that SnapLock Snapshot Copy Locking displays as Enabled.

CLI
  1. To create a new volume and enable Snapshot copy locking, enter the following command:

    volume create -vserver vserver_name -volume volume_name -snapshot-locking-enabled true

    The following command enables Snapshot copy locking on a new volume named vol1:

    > volume create -volume vol1 -aggregate aggr1 -size 100m -snapshot-locking-enabled true
    Warning: Snapshot copy locking is being enabled on volume “vol1” in Vserver “vs1”. It cannot be disabled until all locked Snapshot copies are past their expiry time. A volume with unexpired locked Snapshot copies cannot be deleted.
    Do you want to continue: {yes|no}: y
    [Job 32] Job succeeded: Successful

Enable Snapshot copy locking on an existing volume

Beginning with ONTAP 9.12.1, you can enable Snapshot copy locking on an existing volume using the ONTAP CLI. Beginning with ONTAP 9.13.1, you can use System Manager to enable Snapshot copy locking on an existing volume.

System Manager
  1. Navigate to Storage > Volumes.

  2. Select Menu options icon and choose Edit > Volume.

  3. In the Edit Volume window, locate the Snapshot Copies (Local) Settings section and select Enable Snapshot locking.

    This selection is not displayed if the SnapLock license is not installed.

  4. If it is not already enabled, select Initialize SnapLock Compliance Clock.

  5. Save your changes.

  6. In the Volumes window, select the volume you updated and choose Overview.

  7. Verify that SnapLock Snapshot Copy Locking displays as Enabled.

CLI
  1. To modify an existing volume to enable Snapshot copy locking, enter the following command:

    volume modify -vserver vserver_name -volume volume_name -snapshot-locking-enabled true

Create a locked Snapshot copy policy and apply retention

Beginning with ONTAP 9.12.1, you can create Snapshot copy policies to apply a Snapshot copy retention period and apply the policy to a volume to lock Snapshot copies for the specified period. You can also lock a Snapshot copy by manually setting a retention period. Beginning with ONTAP 9.13.1, you can use System Manager to create Snapshot copy locking policies and apply them to a volume.

Create a Snapshot copy locking policy

System Manager
  1. Navigate to Storage > Storage VMs and select a storage VM.

  2. Select Settings.

  3. Locate Snapshot Policies and select Arrow icon.

  4. In the Add Snapshot Policy window, enter the policy name.

  5. Select Add icon.

  6. Provide the Snapshot copy schedule details, including the schedule name, maximum Snapshot copies to keep, and SnapLock retention period.

  7. In the SnapLock Retention Period column, enter the number of hours, days, months or years to retain the Snapshot copies. For example, a Snapshot copy policy with a retention period of 5 days locks a Snapshot copy for 5 days from the time it is created, and it cannot be deleted during that time. The following retention period ranges are supported:

    • Years: 0 - 100

    • Months: 0 - 1200

    • Days: 0 - 36500

    • Hours: 0 - 24

  8. Save your changes.

CLI
  1. To create a Snapshot copy policy, enter the following command:

    volume snapshot policy create -policy policy_name -enabled true -schedule1 schedule1_name -count1 maximum_Snapshot_copies -retention-period1 _retention_period

    The following command creates a Snapshot copy locking policy:

    cluster1> volume snapshot policy create -policy policy_name -enabled true -schedule1 hourly -count1 24 -retention-period1 "1 days"

    A Snapshot copy is not replaced if it is under active retention; that is, the retention count will not be honored if there are locked Snapshot copies that have not yet expired.

Apply a locking policy to a volume

System Manager
  1. Navigate to Storage > Volumes.

  2. Select Menu options icon and choose Edit > Volume.

  3. In the Edit Volume window, select Schedule Snapshot copies.

  4. Select the locking Snapshot copy policy from the list.

  5. If Snapshot copy locking is not already enabled, select Enable Snapshot locking.

  6. Save your changes.

CLI
  1. To apply a Snapshot copy locking policy to an existing volume, enter the following command:

    volume modify -volume volume_name -vserver vserver_name -snapshot-policy policy_name

Apply retention period during manual Snapshot copy creation

You can apply a Snapshot copy retention period when you manually create a Snapshot copy. Snapshot copy locking must be enabled on the volume; otherwise, the retention period setting is ignored.

System Manager
  1. Navigate to Storage > Volumes and select a volume.

  2. In the volume details page, select the Snapshot copies tab.

  3. Select Add icon.

  4. Enter the Snapshot copy name and the SnapLock expiration time. You can select the calendar to choose the retention expiration date and time.

  5. Save your changes.

  6. In the Volumes > Snapshot Copies page, select Show/Hide and choose SnapLock Expiration Time to display the SnapLock Expiration Time column and verify that the retention time is set.

CLI
  1. To create a Snapshot copy manually and apply a locking retention period, enter the following command:

    volume snapshot create -volume volume_name -snapshot snapshot_copy_name -snaplock-expiry-time expiration_date_time

    The following command creates a new Snapshot copy and sets the retention period:

    cluster1> volume snapshot create -vserver vs1 -volume vol1 -snapshot snap1 -snaplock-expiry-time "11/10/2022 09:00:00"

Apply retention period to an existing Snapshot copy

System Manager
  1. Navigate to Storage > Volumes and select a volume.

  2. In the volume details page, select the Snapshot copies tab.

  3. Select the Snapshot copy, select Menu options icon, and choose Modify SnapLock Expiration Time. You can select the calendar to choose the retention expiration date and time.

  4. Save your changes.

  5. In the Volumes > Snapshot Copies page, select Show/Hide and choose SnapLock Expiration Time to display the SnapLock Expiration Time column and verify that the retention time is set.

CLI
  1. To manually apply a retention period to an existing Snapshot copy, enter the following command:

    volume snapshot modify-snaplock-expiry-time -volume volume_name -snapshot snapshot_copy_name -expiry-time expiration_date_time

    The following example applies a retention period to an existing Snapshot copy:

    cluster1> volume snapshot modify-snaplock-expiry-time -volume vol1 -snapshot snap2 -expiry-time "11/10/2022 09:00:00"

Modify an existing policy to apply long-term retention

In a SnapMirror relationship, you can set a retention period on a mirror-vault policy rule, and the retention period is applied for Snapshot copies replicated to the destination if the destination volume has Snapshot copy locking enabled. The retention period takes precedence over keep count; for example, Snapshot copies that have not passed their expiry will be retained even if the keep count is exceeded.

Beginning with ONTAP 9.14.1, you can modify an existing SnapMirror policy by adding a rule to set long-term retention of Snapshot copies. The rule is used to override the default volume retention period on SnapLock vault destinations and on non-SnapLock SnapMirror destination volumes.

  1. Add a rule to an existing SnapMirror policy:

    snapmirror policy add-rule -vserver <SVM name> -policy <policy name> -snapmirror-label <label name> -keep <number of Snapshot copies> -retention-period [<integer> days|months|years]

    The following example creates a rule that applies a retention period of 6 months to the existing policy called "lockvault":

    snapmirror policy add-rule -vserver vs1 -policy lockvault -snapmirror-label test1 -keep 10 -retention-period "6 months"