Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. Veritas NetBackup™ Administrator's Guide, Volume I
  5. Section V. Configuring backups
  7. Configuring immutability and indelibility of data in NetBackup
  9. About immutable and indelible data
Veritas NetBackup™ Administrator's Guide, Volume I

About immutable and indelible data

NetBackup protects your data from being encrypted, modified, and deleted using WORM properties.

WORM is the acronym for Write Once Read Many.

WORM properties provide two additional levels of security for backup images:

  • Immutability - this protection ensures that the backup image is read-only and cannot be modified, corrupted, or encrypted after backup.

  • Indelibility - this property protects the backup image from being deleted before it expires. The data is protected from malicious deletion.

Configuring these WORM properties protects your data from certain malware attacks to some extent, for example ransomware.

NetBackup provides the ability to write backups to WORM storage devices so their data cannot be corrupted. Additionally, it lets you take advantage of advanced options available from your storage vendors to protect your backup data per applicable statutes.

Once the backup images are written using a WORM enabled storage unit, the data cannot be deleted until the WORM Unlock Time and it can no longer be modified. This WORM Unlock Time is set when the image is created or the image expiration period is extended.

The WORM Unlock Time (indelible end time) for a backup is equal to the image expiration time. The retention level in the policy or SLP determines the expiration time.

The retention level in the policy or the SLP determines the WORM Unlock Time (indelible end time) for a backup. The retention period may not be applied immediately for larger backups, so that the Unlock Time may be slightly later than the expiration time.

The only changes that are allowed to the backup image are to extend the expiration date. Be aware the backup expiration date can only be extended, it cannot be shortened. To extend the expiration date, use the bpexpdate -extend_worm_locks command. More information about the bpexpdate is available in the NetBackup Commands Reference Guide

The backup expiration date of a WORM indelible image can only be extended, it cannot be shortened. To extend the expiration date, use the bpexpdate -extend_worm_locks command. Similar to an image on hold, WORM indelible images cannot be deleted from the NetBackup catalog until their WORM Unlock Time and Expire Time have elapsed. In special circumstances, the bpexpdate -try_expire_worm_copy option can be used to force removal of a WORM indelible image from the NetBackup catalog. This option is only recommended to be used after removing WORM locks directly on the storage device.

More information about the bpexpdate is available in the NetBackup Commands Reference Guide.

Feedback

Was this page helpful?
Previous

Configuring immutability and indelibility of data in NetBackup

Next

Workflow to configure immutable and indelible data

Feedback

Was this page helpful?