remote-backups.comremote-backups.com
Contact illustration
Sign In
Don't have an account ?Sign Up
From €3/TB/month* • Usage-Based Billing

Immutable Backups

A read-only copy of your backups that nobody can modify or delete. Not you, not a rogue script, not ransomware. Protected by credential separation and controlled sync jobs.

Three Threats, One Solution

Immutable backups create a separate datastore that syncs automatically from your primary. Deletions don't propagate. Credentials are isolated. Your data survives.

Ransomware

An attacker who compromises your PBS credentials can delete snapshots through the API. Your immutable copy is controlled by a separate sync job with separate credentials that you don't hold. Even a full credential compromise leaves the immutable data untouched.

Human Error

A misconfigured prune job set to keep 3 instead of 30 snapshots. A bulk delete on the wrong datastore. A script pointed at production instead of staging. Immutable backups maintain their own retention, independent from your primary.

Compliance

SOC 2, ISO 27001, and GDPR frameworks expect backup copies that can't be altered by the same credentials used for daily operations. Immutable backups provide exactly this: a separation of control where the backup copy is beyond the reach of normal operational access.

How Immutable Backups Work

The mechanism is straightforward: a sync job copies your backups to a second datastore with remove-vanished set to false. Deletions on your primary don't propagate.

1

Enable in your datastore settings

Choose your sync schedule (what hour to sync) and set your retention policy for the immutable copy.

2

We create a dedicated immutable datastore

A second PBS datastore is created on the same server. A sync job copies your backups with remove-vanished disabled.

3

First sync runs immediately

Your existing backups are copied to the immutable datastore right away. Subsequent syncs run on your chosen schedule.

4

You receive a read-only restore token

A dedicated API token with DatastoreReader permissions. You can browse snapshots and restore, but not modify or delete.

Data Flow

Your Proxmox
Backup source
Primary Datastore
Your credentials
Immutable Datastore
Read-only for you • Sync job writes only

The sync job runs under admin credentials you don't have access to. Your restore token is DatastoreReader only.

What Makes It Immutable

Deletions Don't Propagate

The sync job uses remove-vanished: false. When you delete a snapshot from your primary datastore, it survives in the immutable copy.

Credential Separation

You hold a DatastoreReader token. All writes happen through a sync job running under admin credentials you don't have access to.

Independent Retention

The immutable datastore has its own prune schedule. Keep 7 daily on your primary but 30 daily and 12 monthly on the immutable copy.

Read-Only Access

Your restore token lets you browse and restore. You cannot write, modify, or delete anything on the immutable datastore.

Restoring from Immutable Backups

Same tools, same workflow. The only difference is the repository string.

proxmox-backup-client restore <snapshot> <target> \
    --repository user-<id>@pbs!restore@<host>:<datastore>-imm

Your dashboard shows the full connection details with copy buttons for each field: host, datastore name, token name, and token secret.

Your restore token can:
  • Browse snapshots
  • Download and restore data
  • List datastore contents
Your restore token cannot:
  • Delete snapshots
  • Modify any data
  • Change retention or prune settings

Usage-Based Pricing

€3 per TB per month*, billed per GB per hour. You pay for the bytes your immutable snapshots actually consume, not your primary datastore's allocated size.

€3*

Per TB/Month

Based on actual usage
Per GB

Billing Granularity

Not per 100GB increments
Hourly

Billing Interval

Pay only for what you use

Cost Examples

Primary DatastoreImmutable UsageMonthly Cost
500 GB~400 GB~€1.20*
2 TB~1.5 TB~€4.50*
5 TB~4 TB~€12*

Actual immutable usage depends on your retention settings and deduplication ratio. If your primary is 2 TB but only 800 GB of unique data syncs, you pay for 800 GB.

What Immutable Backups Don't Replace

Knowing the boundaries matters as much as knowing the features.

Not Geo-Replication

Your immutable copy lives on the same server as your primary datastore. It protects against logical deletion and credential compromise, not physical server failure.

Add geo-replication for physical protection →

Not WORM Storage

There's no filesystem-level write-once enforcement with compliance-grade retention locks. Immutability comes from access control: you have read-only access, writes happen through a controlled sync job.

Read the full technical analysis →

Not Server-Level Protection

Root access to the physical server could theoretically reach the immutable datastore. For that level of isolation, combine immutable backups with geo-replication to a separate server.

See the 3-2-1-1-0 strategy →

24-Hour Safety Net

When you request to disable immutable backups, nothing happens immediately. A 24-hour grace period starts. You get an email notification, and you can cancel at any time during those 24 hours.

After the grace period, the immutable datastore, sync job, restore token, and all associated data are permanently removed. This prevents both accidental and malicious disabling of the protection.

  • 24-hour delay
    No data removed until grace period expires
  • Email notification
    Immediate alert when disable is requested
  • Cancel anytime
    One click to stop the disable during grace period
  • Anti-tampering
    Protects against attackers who compromise your dashboard

Build a Complete Protection Stack

Each layer addresses a different threat. Together, they cover ransomware, human error, and regional disasters.

Primary Datastore

Your working backup target with daily prune jobs.

Included

Immutable Backups

Read-only copy that survives deletion and credential compromise.

€3/TB/month*

Geo-Replication

Geographic separation that survives physical disasters.

€4/TB/copy*

Enable in Under a Minute

Immutable backups are available now for all datastores.

  1. Open your datastore in the dashboard
  2. Go to Settings > Immutable Backups
  3. Choose your sync schedule and retention policy
  4. Click Enable

Your first sync starts immediately. The dashboard shows your immutable backup status, last sync time, storage usage, and restore credentials.

Frequently Asked Questions

WORM storage (like S3 Object Lock) enforces immutability at the filesystem level with retention locks that even administrators can't override. Our immutable backups achieve practical immutability through access control: you have read-only access, and all writes happen through a controlled sync job with separate credentials. For most use cases this provides the same outcome, but it's not the same thing as compliance-grade WORM.

The immutable datastore lives on the same server as your primary datastore. It protects against logical deletion (prune jobs, manual deletion, ransomware wiping snapshots) and credential compromise. For protection against physical server failure or datacenter disasters, combine immutable backups with geo-replication.

Nothing happens to the immutable copy. The sync job uses remove-vanished: false, so deletions on your primary datastore don't propagate. Your immutable snapshots remain intact with their own independent retention policy.

Yes. The immutable datastore has its own retention policy (keep-last, keep-daily, keep-weekly, keep-monthly, keep-yearly), completely independent from your primary. You configure this when enabling immutable backups.

Immutable backups are billed at €3/TB/month based on actual storage usage on the immutable datastore, measured per GB per hour. This is different from standard storage pricing (which uses 100GB increments). If deduplication means only 800GB of unique data syncs from a 2TB primary, you pay for 800GB.

Even if someone gains access to your dashboard account, disabling immutable backups triggers a 24-hour grace period. You receive an email notification immediately and can cancel the disable at any time during those 24 hours.

Yes. The sync job copies encrypted chunks as-is. The immutable datastore contains the same encrypted data. You use the same encryption key to restore from either datastore.

Use the standard proxmox-backup-client restore command with the immutable datastore name and your read-only restore token. The dashboard shows all connection details with copy buttons.

Protect Your Backups from Deletion

Immutable backups create a read-only copy of your data that survives accidental deletion, ransomware, and credential compromise. From €3/TB/month*.

* = VAT may apply