# Protecting your data with SnapLock
<a name="snaplock"></a>

SnapLock is a feature that allows you to protect your files by transitioning them to a write once, read many (WORM) state, which prevents modification or deletion for a specified retention period. You can use SnapLock to meet regulatory compliance, to protect business-critical data from ransomware attacks, and to provide an additional layer of protection for your data against alteration or deletion.

Amazon FSx for NetApp ONTAP supports the Compliance and Enterprise modes of retention with SnapLock. For more information, see [Understanding SnapLock Compliance](snaplock-compliance.md) and [Understanding SnapLock Enterprise](snaplock-enterprise.md).

You can create SnapLock volumes on FSx for ONTAP file systems created on or after July 13, 2023. Existing file systems will get SnapLock support during an upcoming weekly maintenance window. 

**Topics**
+ [How SnapLock works](how-snaplock-works.md)
+ [Understanding SnapLock Compliance](snaplock-compliance.md)
+ [Understanding SnapLock Enterprise](snaplock-enterprise.md)
+ [Understanding the SnapLock retention period](snaplock-retention.md)
+ [Committing files to WORM state](worm-state.md)

# How SnapLock works
<a name="how-snaplock-works"></a>

SnapLock can help you meet regulatory and governance purposes by preventing your files from being deleted, changed, or renamed. When you create a SnapLock volume, you commit your files to write once, read many (WORM) storage and set retention periods for the data. Your files can be stored in a non-erasable, non-writable state for a designated period, or indefinitely. 

**Important**  
You must specify whether a volume will use SnapLock settings at the time of creation. A non-SnapLock volume can't be converted to a SnapLock volume after creation. 

## Retention modes
<a name="snaplock-retention-modes"></a>

SnapLock has two retention modes: Compliance and Enterprise. Amazon FSx for NetApp ONTAP supports both of them. They have different use cases and some of the features differ, but they both protect your data from modification or deletion using the WORM model. The following table explains some of the similarities and differences between these retention modes. 


| SnapLock feature | [Understanding SnapLock Compliance](snaplock-compliance.md) | [Understanding SnapLock Enterprise](snaplock-enterprise.md) | 
| --- | --- | --- | 
| Description | Files transitioned to WORM on a Compliance volume can't be deleted until their retention periods expire.  | Files transitioned to WORM on an Enterprise volume can be deleted by authorized users before their retention periods expire using privileged delete.  | 
| Use cases |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/how-snaplock-works.html)  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/how-snaplock-works.html)  | 
| [Autocommit](worm-state.md#worm-state-autocommit) | Yes | Yes | 
| [Event-based retention (EBR)](worm-state.md#worm-state-ebr)1 | Yes | Yes | 
| [Legal Hold](worm-state.md#worm-state-legal-hold)1 | Yes | No | 
| [Using privileged delete](snaplock-enterprise.md#privileged-delete) | No | Yes | 
| [Volume-append mode](worm-state.md#worm-state-append) | Yes | Yes | 
| [SnapLock audit log volumes](#snaplock-audit-log-volume) | Yes | Yes | 

**Note**  
1EBR and Legal Hold operations are supported in the ONTAP CLI and REST API.

**Note**  
FSx for ONTAP supports tiering data to the capacity pool on all SnapLock volumes, regardless of the SnapLock type. For more information, see [Volume data tiering](volume-storage-capacity.md#volume-data-tiering).

## SnapLock administrator
<a name="snaplock-admin"></a>

You must have SnapLock administrator privileges to perform certain actions on SnapLock volumes. SnapLock administrator privileges are defined in the `vsadmin-snaplock` role in the ONTAP CLI. You must be a cluster administrator to create a storage virtual machine (SVM) administrator account with the SnapLock administrator role. 

You can perform the following actions with the `vsadmin-snaplock` role in the ONTAP CLI: 
+ Manage your own user account, local password, and key information
+ Manage volumes, except moving volumes
+ Manage quotas, qtrees, snapshot copies, and files
+ Perform SnapLock actions, including privileged delete and Legal Hold
+ Configure Network File System (NFS) and Server Message Block (SMB) protocols 
+ Configure Domain Name System (DNS), Lightweight Directory Access Protocol (LDAP), and Network Information Service (NIS) services 
+ Monitor jobs

The following procedure details how to create a SnapLock administrator in the ONTAP CLI. You must be logged in as a cluster administrator on a secure connection, such as Secure Shell Protocol (SSH) to perform this task. 

**To create an SVM administrator account with the vsadmin-snaplock role in the ONTAP CLI**
+ Run the following command. Replace *SVM\$1name* and *SnapLockAdmin* with your own information.

  ```
  cluster1::> security login create -vserver SVM_name -user-or-group-name SnapLockAdmin -application ssh -authentication-method password -role vsadmin-snaplock
  ```

For more information, see [ONTAP roles and users](roles-and-users.md).

## SnapLock audit log volumes
<a name="snaplock-audit-log-volume"></a>

 A SnapLock audit log volume contains SnapLock audit logs, which contain timestamps of events such as when a SnapLock administrator was created, when privileged delete operations were executed, or when a Legal Hold was placed on files. The SnapLock audit log volume is a non-erasable record of events. 

You must create a SnapLock audit log volume in the same SVM as the SnapLock volume for the following actions: 
+ To turn on or turn off privileged delete on a SnapLock Enterprise volume. 
+ To apply Legal Hold on a file in a SnapLock Compliance volume. 

**Warning**  
 The minimum retention period for a SnapLock audit log volume is six months. Until this retention period expires, the SnapLock audit log volume and the SVM and file system that are associated with it can't be deleted even if the volume was created in SnapLock Enterprise mode. 
If a file is deleted using privileged delete and its retention period is longer than the retention period of the volume, then the audit log volume inherits the file's retention period. For example, if a file that has a retention period of 10 months is deleted using privileged delete and the retention period of the audit log volume is six months, the retention period of the audit log volume is extended to 10 months. 

 You can have only one active SnapLock audit log volume in an SVM, but it can be shared by multiple SnapLock volumes in the SVM. To mount a SnapLock audit log volume successfully, set the junction path to `/snaplock_audit_log`. No other volumes can use this junction path, including volumes that aren't audit log volumes. 

 You can find SnapLock audit logs in the `/snaplock_log` directory under the root of the audit log volume. Privileged delete operations are logged in the `privdel_log` subdirectory. Legal Hold begin and end operations are logged in `/snaplock_log/legal_hold_logs/`. All other logs are stored in the `system_log` subdirectory. 

You can create a SnapLock audit log volume with the Amazon FSx console, the AWS CLI, the Amazon FSx API, and the ONTAP CLI and REST API.

**Note**  
 A data protection (DP) volume can't be used as a SnapLock audit log volume. 

To turn on the SnapLock audit log volume with the Amazon FSx API, use `AuditLogVolume` in the [https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateSnaplockConfiguration.html](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateSnaplockConfiguration.html). In the Amazon FSx console, for **Audit log volume**, choose **Enabled**. Make sure that the **Junction path** is set to `/snaplock_audit_log`. 

## Accessing your data in a SnapLock volume
<a name="accessing-snaplock-data"></a>

You can use open file protocols such as NFS and SMB to access your data in a SnapLock volume. There is no performance impact from writing data to a SnapLock volume or from reading data that's protected by WORM. 

You can copy files across SnapLock volumes with NFS and SMB, but they won't retain their WORM properties on the destination SnapLock volume. You must recommit the copied files to WORM to prevent them from being modified or deleted. For more information, see [Committing files to WORM state](worm-state.md). 

You can also replicate SnapLock data with SnapMirror, but the source and destination volumes must be SnapLock volumes with the same retention mode (for example, both must be Compliance or Enterprise). 

## SnapLock and SSD capacity decrease operations
<a name="snaplock-ssd-decrease"></a>

Consider these points about SSD decreases before creating a SnapLock volume:
+ Amazon FSx will reject SSD capacity decrease requests on file systems that contain SnapLock volumes.
+ You can't create SnapLock volumes during an SSD capacity decrease operation.

These limitations exist because ONTAP enforces a minimum retention period of 6 months for the SnapLock audit log volume, which would prevent file system deletion during that period if a SnapLock volume were moved as part of an SSD decrease operation.

If you need to decrease SSD capacity on a file system with SnapLock volumes, you would need to migrate your data to a new file system with smaller SSD capacity. For more information about SSD capacity decrease operations, including limitations and considerations, see [Updating file system SSD storage and IOPS](storage-capacity-and-IOPS.md#increase-primary-storage).

# Understanding SnapLock Compliance
<a name="snaplock-compliance"></a>

This section describes use cases and considerations for the SnapLock Compliance retention mode. 

You might choose the Compliance retention mode for the following use cases. 
+ You can use SnapLock Compliance to address government or industry-specific mandates such as SEC Rule 17a-4(f), FINRA Rule 4511, and CFTC Regulation 1.31. SnapLock Compliance on Amazon FSx for NetApp ONTAP was assessed for these mandates and regulations by Cohasset Associates. For more information, see the [https://d1.awsstatic.com/r2018/b/FSx/cohasset_assessment_for_fsx_for_ontap_report.pdf](https://d1.awsstatic.com/r2018/b/FSx/cohasset_assessment_for_fsx_for_ontap_report.pdf). 
+ You can use SnapLock Compliance to complement or enhance a comprehensive data protection strategy to combat ransomware attacks. 

Here are some important items to consider about the SnapLock Compliance retention mode. 
+ After a file is transitioned to the write once, read many (WORM) state on a SnapLock Compliance volume, it can't be deleted before its retention period expires by any user. 
+ A SnapLock Compliance volume can only be deleted when the retention periods of all WORM files on the volume have expired, and the WORM files have been deleted from the volume. 
+ You can't rename a SnapLock Compliance volume after creation.
+ You can use SnapMirror to replicate WORM files, but the source volume and destination volume must have the same retention mode (for example, both must be Compliance). 
+ A SnapLock Compliance volume can't be converted to a SnapLock Enterprise volume, and the reverse. 

# Understanding SnapLock Enterprise
<a name="snaplock-enterprise"></a>

This section describes use cases and considerations for the SnapLock Enterprise retention mode. 

You might choose the SnapLock Enterprise retention mode for the following use cases. 
+ You can use SnapLock Enterprise to authorize only specific users to delete files. 
+ You can use SnapLock Enterprise to advance your organization's data integrity and internal compliance. 
+ You can use SnapLock Enterprise to test retention settings before using SnapLock Compliance. 

Here are some important items to consider about the SnapLock Enterprise retention mode. 
+ You can use SnapMirror to replicate WORM files, but the source volume and destination volume must have the same retention mode (for example, both must be Enterprise). 
+ A SnapLock volume can't be converted from Enterprise to Compliance, or from Compliance to Enterprise. 
+ SnapLock Enterprise doesn't support Legal Hold. 

## Using privileged delete
<a name="privileged-delete"></a>

One of the key differences between SnapLock Enterprise and SnapLock Compliance is that a SnapLock administrator can turn on privileged delete on a SnapLock Enterprise volume to allow a file to be deleted before the file's retention period expires. The SnapLock administrator is the only user who can delete files from a SnapLock Enterprise volume that has active retention policies placed on it. For more information, see [SnapLock administrator](how-snaplock-works.md#snaplock-admin). 

You can turn on or turn off privileged delete with the Amazon FSx console, the AWS CLI, the Amazon FSx API, and the ONTAP CLI and REST API. To turn on privileged delete, you must first create a SnapLock audit log volume in the same SVM as the SnapLock volume. For more information, see [SnapLock audit log volumes](how-snaplock-works.md#snaplock-audit-log-volume). 

To turn on privileged delete with the Amazon FSx API, use `PrivilegedDelete` in the [https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateSnaplockConfiguration.html](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateSnaplockConfiguration.html). In the Amazon FSx console, for **Privileged Delete**, choose **Enabled**.

**Note**  
You can't issue a privileged delete command to delete a write once, read many (WORM) file that has an expired retention period. You can issue a normal delete operation after the retention period expires.

You can opt to turn off privileged delete permanently, but this action is irreversible. If privileged delete is permanently turned off, you don't need to have a SnapLock audit log volume associated with the SnapLock Enterprise volume. 

To permanently turn off privileged delete with the Amazon FSx API, use `PrivilegedDelete` in the [https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateSnaplockConfiguration.html](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateSnaplockConfiguration.html). In the Amazon FSx console, for **Privileged Delete**, choose **Permanently disabled**. 

## Bypassing SnapLock Enterprise mode
<a name="bypass-enterprise"></a>

If you are using the Amazon FSx console or Amazon FSx API, you must have the IAM `fsx:BypassSnapLockEnterpriseRetention` permission to delete a SnapLock Enterprise volume that contains WORM files with active retention policies. 

For more information, see [Deleting SnapLock volumes](snaplock-delete-volume.md). 

# Understanding the SnapLock retention period
<a name="snaplock-retention"></a>

When you create a SnapLock volume, you can set a default retention period for the volume, or you can set the retention period for write once, read many (WORM) files explicitly. During the retention period, you can't delete or modify WORM-protected files. The retention period is used to calculate the retention time. For example, if you transition a file to WORM on July 14, 2023 at midnight and set the retention period to five years, then the retention time would be until July 14, 2028 at midnight. 

For more information about WORM, see [Committing files to WORM state](worm-state.md). 

## Retention period policies
<a name="retention-policies"></a>

The retention period is determined by values that you assign to the following parameters: 
+ Default retention – The default retention period that's assigned to a WORM file if you don't provide an explicit retention period for it. 
+ Minimum retention – The shortest retention period that can be assigned to a WORM file. 
+ Maximum retention – The longest retention period that can be assigned to a WORM file. 

**Note**  
Even after the retention period expires, you can't modify a WORM file. You can only delete it or set a new retention period to turn on WORM protection again.

You can specify the retention period using several different units of time. The following table lists the specific ranges that are supported. 


****  

| Type | Value | Notes | 
| --- | --- | --- | 
|  Seconds  |  0 - 65,535  |    | 
|  Minutes  |  0 - 65,535  |    | 
|  Hours  |  0 - 24  |    | 
|  Days  |  0 - 365  |    | 
|  Months  |  0 -12  |    | 
|  Years  |  0 - 100  |    | 
|  Infinite  |  -  |  Retains the files forever.  Available for **Default retention**, **Maximum retention**, and **Minimum retention**.   | 
|  Unspecified1  |  -  |  Retains the files until you set a retention period.  Available for **Default retention** only.   | 

**Note**  
1When you transition files to WORM with an unspecified retention period, they are given the minimum retention period that is configured for the SnapLock volume. When you transition the WORM-protected files to an absolute retention time, the new retention period must be greater than the minimum period that you set on the files previously.

## Expired retention period
<a name="expired-policy"></a>

After a WORM file's retention period expires, you can delete the file or set a new retention period to turn WORM protection back on. WORM files aren't automatically deleted after their retention period expires. You still can't modify the content of a WORM file, even after its retention period has expired. 

## Setting the retention period of a SnapLock volume
<a name="set-retention-policy"></a>

You can set the retention period of a SnapLock volume with the Amazon FSx console, the AWS CLI, the Amazon FSx API, and the ONTAP CLI and REST API. 

To set the retention period with the Amazon FSx API, use the [https://docs.aws.amazon.com/fsx/latest/APIReference/API_SnaplockRetentionPeriod.html](https://docs.aws.amazon.com/fsx/latest/APIReference/API_SnaplockRetentionPeriod.html) configuration. In the Amazon FSx console, for **Retention period**, enter values for **Default retention**, **Minimum retention**, and **Maximum retention**. Then choose a corresponding **Unit** for each. 

# Committing files to WORM state
<a name="worm-state"></a>

This section discusses how you can transition your files to a write once, read many (WORM) state. It also discusses volume-append mode, which is a way to write data incrementally to WORM-protected files. 

## Autocommit
<a name="worm-state-autocommit"></a>

You can use autocommit to transition files to WORM if they haven't been modified for a period of time that you specify. You can turn on autocommit with the Amazon FSx console, the AWS CLI, the Amazon FSx API, and the ONTAP CLI and REST API. 

You can specify an autocommit period between five minutes and 10 years. The following table lists the specific ranges that are supported. 


****  

| Unit | Value | 
| --- | --- | 
|  Minutes  |  5 - 65,535  | 
|  Hours  |  1 - 65,535  | 
|  Days  |  1 - 3,650  | 
|  Months  |  1 - 120  | 
|  Years  |  1 - 10  | 

To turn on autocommit with the Amazon FSx API, use `AutocommitPeriod` in the [https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateSnaplockConfiguration.html](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateSnaplockConfiguration.html). In the Amazon FSx console, for **Autocommit**, choose **Enabled**. Then, for **Autocommit period**, enter a value and choose a corresponding **Autocommit unit**. 

You can specify a value between 5 minutes and 10 years.

## Volume-append mode
<a name="worm-state-append"></a>

You can't modify existing data in a WORM-protected file. However, SnapLock allows you to maintain protection for existing data using WORM-appendable files. For example, you can generate log files or preserve audio or video streaming data while writing data to them incrementally. You can turn volume-append mode on or off with the Amazon FSx console, the AWS CLI, the Amazon FSx API, and the ONTAP CLI and REST API. 

**Requirements for updating volume-append mode**
+ The SnapLock volume must be unmounted.
+ The SnapLock volume must be empty of snapshot copies and user data. 

 

To turn on volume-append mode with the Amazon FSx API, use `VolumeAppendModeEnabled` in the [https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateSnaplockConfiguration.html](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateSnaplockConfiguration.html). In the Amazon FSx console, for **Volume append mode**, choose **Enabled**. 

## Event-based retention (EBR)
<a name="worm-state-ebr"></a>

You can use event-based retention (EBR) to create custom policies with associated retention periods. For example, you can transition all files in a specified path to WORM and set the retention period for one year with the `snaplock event-retention policy create` and `snaplock event-retention apply` commands. When you use EBR, you must specify a volume, directory, or file. The retention period that you select when you create the EBR policy is applied to all files in the specified path. 

EBR is supported by the ONTAP CLI and REST API. 

**Note**  
ONTAP doesn't support EBR with FlexGroup volumes.

The following procedures explain how to create, apply, modify, and delete an EBR policy. You must be a SnapLock administrator (have the `vsadmin-snaplock` role) to complete these tasks in the ONTAP CLI. For more information, see [SnapLock administrator](how-snaplock-works.md#snaplock-admin). 

### Creating an EBR policy in the ONTAP CLI
<a name="create-ebr-ontap-cli"></a>

**To create an EBR policy in the ONTAP CLI**
+ Run the following command. Replace *p1* and *"10 years"* with your own information. 

  ```
  vs1::> snaplock event-retention policy create -name p1 -retention-period "10 years"
  ```

### Applying an EBR policy in the ONTAP CLI
<a name="apply-ebr-ontap-cli"></a>

**To apply an EBR policy in the ONTAP CLI**
+ Run the following command. Replace *p1* and *slc* with your own information. You can add a path after the forward slash (/) if you want to specify a particular path for the EBR policy. Otherwise, this command applies the EBR policy to all files on the volume. 

  ```
  vs1::> snaplock event-retention apply -policy-name p1 -volume slc -path /
  ```

### Modifying an EBR policy in the ONTAP CLI
<a name="modify-ebr-ontap-cli"></a>

**To modify an EBR policy in the ONTAP CLI**
+ Run the following command. Replace *p1* and *"5 years"* with your own information. 

  ```
  vs1::> snaplock event-retention policy modify -name p1 -retention-period "5 years"
  ```

### Deleting an EBR policy in the ONTAP CLI
<a name="delete-ebr-ontap-cli"></a>

**To delete an EBR policy in the ONTAP CLI**
+ Run the following command. Replace *p1* with your own information. 

  ```
  vs1::> snaplock event-retention policy delete -name p1
  ```

Related commands in the *NetApp Documentation Center*:
+ [snaplock event-retention abort](https://docs.netapp.com/us-en/ontap-cli-9121/snaplock-event-retention-abort.html)
+ [snaplock event-retention show-vservers](https://docs.netapp.com/us-en/ontap-cli-9121/snaplock-event-retention-show-vservers.html)
+ [snaplock event-retention show](https://docs.netapp.com/us-en/ontap-cli-9121/snaplock-event-retention-show.html)
+ [snaplock event-retention policy show](https://docs.netapp.com/us-en/ontap-cli-9121/snaplock-event-retention-policy-show.html)

## Legal Hold
<a name="worm-state-legal-hold"></a>

You can retain WORM files for an indefinite period of time using Legal Hold. Legal Hold is generally used for litigation purposes. A WORM file that's subject to a Legal Hold can't be deleted until the Legal Hold is lifted. 

Legal Hold is supported by the ONTAP CLI and REST API. 

**Note**  
ONTAP doesn't support Legal Hold with FlexGroup volumes.

The following procedures explain how to start and end a Legal Hold. You must be a SnapLock administrator (have the `vsadmin-snaplock` role) to complete these tasks in the ONTAP CLI. For more information, see [SnapLock administrator](how-snaplock-works.md#snaplock-admin). 

### Starting a Legal Hold on a file in a SnapLock Compliance volume with the ONTAP CLI
<a name="start-legal-hold-ontap-cli"></a>

**To start a Legal Hold on a file in a SnapLock Compliance volume with the ONTAP CLI**
+ Run the following command. Replace *litigation1*, *slc\$1vol1*, and *file1* with your own information. 

  ```
  vs1::> snaplock legal-hold begin -litigation-name litigation1 -volume slc_vol1 -path /file1
  ```

### Starting a Legal Hold on all files in a SnapLock Compliance volume with the ONTAP CLI
<a name="start-legal-hold-all-files-ontap-cli"></a>

**To start a Legal Hold on all files in a SnapLock Compliance volume with the ONTAP CLI**
+ Run the following command. Replace *litigation1* and *slc\$1vol1* with your own information. 

  ```
  vs1::> snaplock legal-hold begin -litigation-name litigation1 -volume slc_vol1 -path /
  ```

### Ending a Legal Hold on a file in a SnapLock Compliance volume with the ONTAP CLI
<a name="end-legal-hold-ontap-cli"></a>

**To end a Legal Hold on a file in a SnapLock Compliance volume with the ONTAP CLI**
+ Run the following command. Replace *litigation1*, *slc\$1vol1*, and *file1* with your own information. 

  ```
  vs1::> snaplock legal-hold end -litigation-name litigation1 -volume slc_vol1 -path /file1
  ```
**Note**  
We recommend that you monitor the `-operation-status` with the `snaplock legal-hold show` command when issuing a Legal Hold to make sure that it doesn't fail. 

### Ending a Legal Hold on all files in a SnapLock Compliance volume with the ONTAP CLI
<a name="end-legal-hold-all-files-ontap-cli"></a>

**To end a Legal Hold on all files in a SnapLock Compliance volume with the ONTAP CLI**
+ Run the following command. Replace *litigation1* and *slc\$1vol1* with your own information. 

  ```
  vs1::> snaplock legal-hold end -litigation-name litigation1 -volume slc_vol1 -path /
  ```
**Note**  
We recommend that you monitor the `-operation-status` with the `snaplock legal-hold show` command when issuing a Legal Hold to make sure that it doesn't fail. 

 Related commands in the *NetApp Documentation Center*:
+ [snaplock legal-hold abort](https://docs.netapp.com/us-en/ontap-cli-9121/snaplock-legal-hold-abort.html)
+ [snaplock legal-hold dump-files](https://docs.netapp.com/us-en/ontap-cli-9121/snaplock-legal-hold-dump-files.html)
+ [snaplock legal-hold dump-litigations](https://docs.netapp.com/us-en/ontap-cli-9121/snaplock-legal-hold-dump-litigations.html)
+ [snaplock legal-hold show](https://docs.netapp.com/us-en/ontap-cli-9121/snaplock-legal-hold-show.html)