Object locking¶

Object locking concept¶

Object storage is often used in use-cases where objects gets stored once and read many times. The objects saved are seldom, if ever, updated but should remain available and protected against accidental or malicious deletions.

To guarantee that an object is not accidentally or intentionally deleted, enable locking. When setting up locking, it becomes impossible, even for a cloud operator, to delete the object.

Combined with the high availability and data durability of the object storage platform, this adds an extra layer of data security in the platform.

Using object locking¶

To create a bucket with support for locking.

• Run this command to create the bucket: aws --endpoint=https://object-eu-se-1a.binero.cloud s3api create-bucket --bucket [BUCKET_NAME] --create-bucket-configuration LocationConstraint=europe-se-1:gp.recurring --object-lock-enabled-for-bucket

• Select either COMPLIANCE or GOVERNANCE as retention mode. COMPLIANCE will enforce the settings for all users (also administrators), GOVERNANCE will allow users with privileges to remove objects or change the retention days.

• Run this command to setup locking on the bucket: aws --endpoint=https://object-eu-se-1a.binero.cloud s3api put-object-lock-configuration --bucket [BUCKET_NAME] --object-lock-configuration '{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 1 }}}'

Objects are now protected according to the policy and days chosen. See the versioning documentation on how it’s enforced with versions.