Add an Object Lock-Enabled S3 Backup Location

This section explains how to add an object lock-enabled S3-compatible backup location in Portworx Backup. This procedure applies to S3-compatible object storage providers that support the S3 Object Lock API. For a list of supported providers, see the Backup Location Support Matrix.

For information about configuring FlashBlade-based backup locations, see Add FlashBlade Backup Location.

Prerequisites

Before adding an object lock-enabled backup location, ensure the following:

• S3 bucket with Object Lock enabled: Object Lock must be enabled at bucket creation time in the S3 provider — it cannot be enabled on an existing bucket. The bucket must have a default retention mode (Compliance or Governance) and retention period configured.
• Cloud account: A cloud account for the S3 provider must already be configured in Portworx Backup. For more information, see Add cloud credentials.
• S3 Lifecycle Management (LCM) policy: Configure an LCM policy on the bucket with rules to expire noncurrent object versions and delete expired object delete markers. Without this, noncurrent versions and delete markers accumulate indefinitely, even after Portworx Backup removes the backup entry. For more information, see Managing your storage lifecycle.

Add an object lock-enabled backup location

To add an object lock-enabled backup location, follow these steps:

1. Log in to the Portworx Backup UI.
2. From the left navigation pane, click the Cloud Settings icon and select the Backup Locations tab.
3. Click Add Backup Location.
4. On the Add Backup Location page, select the Object Store option and specify the following information:

   • Name: Enter the name for the backup location, Portworx Backup displays this name as backup location name in the web console.

   • Cloud Account: Select the cloud credentials this backup location should use to create backups.

   • Path/Bucket: Path or name of the object lock-enabled bucket with a retention period configured for storing backups.

     note

     If versioning is enabled for an object lock-enabled bucket, retention is enforced at the object version level. Backups cannot be physically deleted until the retention period expires, and storage usage may increase due to retained object versions. For example, when a backup is overwritten, a new object version is created while the previous version remains retained until its retention period expires. This can result in more backups being retained than the configured retention count, and retention settings cannot be reduced or removed for existing object versions.

   • Encryption key (Optional): Enter an encryption key to encrypt backup data at rest in the bucket. The S3 provider uses this key for server-side encryption (for example, SSE-C in AWS S3), where the encryption key is supplied and managed externally instead of being generated automatically by the storage provider.

   • Region: Enter the name of the object store account region.

   • Endpoint: with the URL of your cloud storage server or provider.

   • Disable SSL: select this option if your on-premises object store does not support SSL/TLS.

   • Storage class: choose the S3 storage class your cloud backups should use.

5. Click Add.