IBM + Governance Mode

[DanielJ]

We are setting up a new S3 platform and are trying to make governance mode work. "Compliance mode" is not practically possible to use for a service provider. I have set the registry key mentioned above (that the setting is global and unavailable in the GUI is just... absurd) and restarted the server, but it has no effect.

2025-06-04 12:35:49 :: Failed to perform setting immutability for backup Error: Agent: Failed to process method {NasMaster.MakeBlobsImmutable}: S3 error: Retention Mode must be 'COMPLIANCE'
Code: MalformedXML

The information mentioned above that "The key will only work for VBR deployments where you haven't used immutable object storage repositories yet" - are you saying that creating such a repository for testing and then deleting it, before trying to use this registry key, makes governance mode impossible to use for any future S3 repository on that VBR server? I hope not, but something is not right.

[Mildur]

Hi Daniel,

If you have existing immutable repositories in "Compliance Mode" with active jobs, those jobs will fail after switching to "Governance Mode" — because you can't change object lock from Compliance to Governance.

Only use this key for:
- New backup server deployments
- Existing setups: Create new repositories

2025-06-04 12:35:49 :: Failed to perform setting immutability for backup Error: Agent: Failed to process method {NasMaster.MakeBlobsImmutable}: S3 error: Retention Mode must be 'COMPLIANCE'
Code: MalformedXML

I assume, you had at least one job running against your immutable repository while it was in "Compliance Mode"?

Best,
Fabian

[DanielJ]

It was the same job, but the old backup was removed (it was not written with object lock) and the job pointed to a newly created repository. But this is probably something in the backend (COS) since I see that I get "retention mode not set" even on buckets created with object lock in governance mode, and when trying to set it, I get that same error message. We will bother IBM about it instead.

[Mildur]

I’ve split your comments into a separate topic.

It’s possible that IBM doesn’t support Governance Mode — some object storage appliances and services enforce Compliance Mode.
Let’s loop in my colleague @sfirmes; he may have more information about IBM COS and its support for Governance Mode.

Best,
Fabian

[Gostev]

It's not in UI because we don't want regular customers using this mode, while for service providers the requirement to create a registry value should not present a massive complexity issue.

We don't allow enabling this registry value on existing VBR installs with immutable backups because it becomes the simplest attack vector against said backups for a hacker which they would be able to use against every single Veeam installation out there. If you want to test this capability, it's best to use it on a separate, clean VBR install in a lab.

[DanielJ]

The VBR does not have any immutable backups on any object storage. All we want to do is being able to send customer backups to object storage with the same possibility of immutable backups as on our ordinary hardened repositories - but without having to keep an offboarded customer's backups for any number of years. We must be able to remove a customer's data after they have left (I wouldn't be surprised if some regulation or other are even forcing us to remove it) - how this ability could not be seen as the natural and default state is beyond me. "Compliance mode" can never guarantee the continued existence of backups for the whole retention period as long as someone has physical access to the storage. This is the same argument that are often mentioned on these forums when it comes to limitations for what "immutability" and other data security ambitions can achieve. It's not a criticism against Veeam but against the very existence of a software setting that effectively locks out the storage owner from his own box, or at least part of it (the part taken up by data stored for x years for a customer no longer present).

And for that, it seems that we must use "governance mode". Which it now seems that this COS platform dropped in my knee has no support for (see 2.2.3.4 in https://cloud.ibm.com/media/docs/downlo ... le-cos.pdf)...

[sfirmes]

I’ve split your comments into a separate topic.

It’s possible that IBM doesn’t support Governance Mode — some object storage appliances and services enforce Compliance Mode.
Let’s loop in my colleague @sfirmes; he may have more information about IBM COS and its support for Governance Mode.

Best,
Fabian

I confirmed with my contacts at IBM COS that governance mode is not supported in the current release. I was unable to get an answer about if/when they might support it in future releases.