commvault.com commvault.com
Solved

Enabling WORM copy with built-in WORM Storage

  • 4 April 2022
  • 5 replies
  • 4032 views
C
Userlevel 3
Badge +12

Hi Guys,

 

As we are preparing to create a replicated data to a new DR site, using DASH copies to get the best performance possible, we also thought about harden the data sent there with the use of WORM.

 

We already know that CV has its own WORM property, and actually, the storage that we have in the DR (Huawei Oceanstore 100D) has its own built-in WORM protection.

My question is, can the activation of WORM be made on both sides (CV + Storage) without issues ? Or, should it be one side only ?

 

Thanks guys.

icon

Best answer by Niall 4 April 2022, 11:10

View original
If you have a question or comment, please create a topic

5 replies

Niall
Rank
Userlevel 3
Badge +8

Hi

If you are going to enable WORM at a hardware level, I would always recommend that the Commvault WORM feature be enabled on the Storage Policy Copy too, this way you avoid the situation where a job has ‘aged’ from the Commserve database but remains on the disk or cloud library. 

The process is documented here: 

https://documentation.commvault.com/11.26/expert/9251_configuring_worm_storage_mode_on_cloud_storage.html

HTH

Niall

 

N
Rank
Badge +3

We are leaning towards turning it on only on the Commvault side. What are the benefits of turning it on on both sides? Thanks

Niall
Rank
Userlevel 3
Badge +8

Hi Nick

Commvault WORM prevents deletion from within the application.

Hardware, or cloud based WORM, offers protection at a layer below the filesystem hosting the backups. 

Two points to consider - 

  1. The Commvault “Ransomware Protection” feature can be configured to offer protection at the filesystem level using a combination of selinux or a filter driver coupled with filesystem permissions to protect disk libraries outside of the application.
  2. Hardware/Cloud based WORM when used in conjunction with deduplication requires that the dedupe DDBs be periodically sealed resulting in new baselines being written out and thus greater storage utilisation.

It should also be noted that in the context of this conversation WORM is really just a time lock defined on storage vendors user interface. 

HTH

Niall

 

N
Rank
Badge +3

We have Commvault’s ransomware protection enabled on all of our mediaagents. Is there any other benefit in only enabling worm protection within Commvault other than preventing a Commvault user with the correct permissions from deleting any backups before they have aged? Would Commvault micro pruning still work if the backend storage supported it and only worm protection was turned on at the Commvault level?

Does Commvault have any consolidated documentation that compares having only hardware/cloud worm turned on, having only Commvault worm turned on or having both turned on? Maybe this would help us understand your first comment on recommending that both be enabled so “this way you avoid the situation where a job has ‘aged’ from the Commserve database but remains on the disk or cloud library.” .

Thanks

Niall
Rank
Userlevel 3
Badge +8

Hi Nick, 

With WORM enabled on a Storage Policy copy, the retention can only be increased [and not decreased] as well as the prevention of job or copy deletion. And yes micro pruning still works if supported by the back end storage.

I did look to see if we had any white papers specific to WORM and didn't find any. The point I was trying to make earlier was that if you use ‘hardware’ WORM functionality to protect the data on the disk library then you should really protect the jobs in the Commserve database too [with the Commvault Application WORM capability]. 

HTH

Niall

Terms & ConditionsCookie settings