We are evaluating ways to strengthen our backup infrastructure against ransomware and improve immutability. Below is our current environment setup:Infrastructure Setup CommServe + Media Agent Backup Targets: Primary: Dell EMC Data Domain ( No dedup) Secondary: Auxiliary copy to Azure Blob (Cool ) (De-Dup) Policies: Policy A: 35 days basic retention Policy B: 35 days basic retention + extended retention (Monthly – 365 days, Yearly – 15 months) Exploring Areas for Ransomware ProtectionOn Data Domain to enable immutability. Compliance lock on storage policy copies Within Commvault Has anyone implemented Commvault compliance lock along with DD Retention Lock. if yes what are the recommendations. Appreciate your insights, especially around practical challenges

Hi @syedameerdxcCompliance Lock in Commvault can be used with deduplication-enabled storage pools. When Compliance Lock is enabled, it enforces retention policies at the storage pool level, ensuring that data cannot be deleted or have its retention reduced, even in deduplication environments.This provides software-level immutability, protecting data against unauthorized deletion or modification within the Commvault interface.Key points regarding Compliance Lock with deduplication:Retention Enforcement:Once Compliance Lock is enabled, retention settings on dependent copies cannot be lowered. This applies to all dependent copies in the storage pool, including those using deduplication.Deduplication Database (DDB) Sealing:In deduplication environments, the DDB becomes immutable upon sealing. Compliance Lock ensures that objects within the DDB remain protected until the DDB is eligible for aging and pruning, based on the retention settings.Irreversibility:Once enabled, Compliance Lock cannot be disabled, and retention cannot be decreased on WORM storage lock enabled copies, which also applies to deduplication-enabled storage pools.Scope:Compliance Lock is supported for all cloud storage vendors and agents, and works in tandem with WORM Storage Lock for enhanced data immutability, especially in environments that support object-level locking.https://documentation.commvault.com/11.40/commcell-console/configuring_compliance_lock.html

Question

Compliance Lock on Commvault with Immutablity on Data Domain

Forum|Forum|3 months ago
September 3, 2025
4 replies
154 views

S

+1

syedameerdxc
Byte

We are evaluating ways to strengthen our backup infrastructure against ransomware and improve immutability. Below is our current environment setup:

Infrastructure Setup

CommServe + Media Agent
Backup Targets:
- Primary: Dell EMC Data Domain ( No dedup)
- Secondary: Auxiliary copy to Azure Blob (Cool ) (De-Dup)
Policies:
- Policy A: 35 days basic retention
- Policy B: 35 days basic retention + extended retention (Monthly – 365 days, Yearly – 15 months)

Exploring Areas for Ransomware Protection

On Data Domain to enable immutability.
Compliance lock on storage policy copies Within Commvault
Has anyone implemented Commvault compliance lock along with DD Retention Lock. if yes what are the recommendations.

Appreciate your insights, especially around practical challenges

P

+12

Pradeep
Vaulter
Forum|Forum|3 months ago
September 4, 2025

Hi @syedameerdxc

Compliance Lock in Commvault can be used with deduplication-enabled storage pools. When Compliance Lock is enabled, it enforces retention policies at the storage pool level, ensuring that data cannot be deleted or have its retention reduced, even in deduplication environments.

This provides software-level immutability, protecting data against unauthorized deletion or modification within the Commvault interface.

Key points regarding Compliance Lock with deduplication:

Retention Enforcement: Once Compliance Lock is enabled, retention settings on dependent copies cannot be lowered. This applies to all dependent copies in the storage pool, including those using deduplication.
Deduplication Database (DDB) Sealing: In deduplication environments, the DDB becomes immutable upon sealing. Compliance Lock ensures that objects within the DDB remain protected until the DDB is eligible for aging and pruning, based on the retention settings.
Irreversibility: Once enabled, Compliance Lock cannot be disabled, and retention cannot be decreased on WORM storage lock enabled copies, which also applies to deduplication-enabled storage pools.
Scope: Compliance Lock is supported for all cloud storage vendors and agents, and works in tandem with WORM Storage Lock for enhanced data immutability, especially in environments that support object-level locking.

https://documentation.commvault.com/11.40/commcell-console/configuring_compliance_lock.html

Like

A

+8

Abhishek Narulkar
Vaulter
Forum|Forum|3 months ago
September 4, 2025

Hi @syedameerdxc Yes, you can enable WORM storage lock with DD.

You have to configured the retention-lock feature on Datadomain and activate the WORM Storage Lock on Commvault through the CommandCenter

Please follow

https://documentation.commvault.com/11.40/software/configuring_worm_storage_lock_01.html

Like

S

+1

syedameerdxc
Author
Byte
Forum|Forum|2 months ago
September 19, 2025

@Abhishek Narulkar what should be retention setting on DD (no of days) and on Commvault WORM lock. Should be same ? What is recommended? DD retetnion should be less compared to Commvault WORM lock retention?

Like

+17

Jos Meijer
Commvault Certified Expert
Forum|Forum|2 months ago
September 19, 2025

Both should be the same. If not, you may encounter some strange alignments. For example, either DD is retaining the data longer while Commvault wants to age it, or DD is unlocking the data while Commvault still has an active retention.

Like

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded