Immutable copy and offline backup

Services

Immutable copy and offline backup

Two immutability tiers for your Proxmox backups: immutable datastore through a sync job with unmount (available today) and LTO tape air-gapped in a datacenter vault (early access for French customers in the third quarter of 2026).

What's included

Immutable datastore (available)

PBS sync job in pull mode to a second datastore unmounted outside the sync window. Unreachable from your API token.

LTO air-gapped (Q3 2026)

LTO tape written through a robot, ejected after writing, kept in a fireproof vault with audited access. Early access for French customers.

Independent retention

The immutable target applies its own retention policy, driven by our orchestration layer outside the customer perimeter.

NIS2 and 3-2-1-1-0 compliance

Verifiable immutable layer that satisfies the ANSSI/NIS2 requirement for a copy resilient to insider compromise.

Chunk-level integrity verification

proxmox-backup-manager verify job schedulable on the immutable copy on every cycle, support alert on error.

Sovereign EU storage

European datacenters, operators under European law, client-side AES-256 encryption compliant with GDPR article 32.

Immutable datastore available

Tier 1: immutable datastore through unmount

Today, Cloud-PBS delivers immutability through a second PBS datastore on a separate volume, unmounted from the PBS server filesystem most of the time. A PBS sync job in pull mode mounts the volume according to the configured frequency, copies new chunks from your production datastore, then unmounts the volume once verification completes. Between cycles, the immutable copy is neither listed by PBS nor reachable through your API token.

  • PBS sync job in pull mode with automatic unmount between cycles
  • Customer token scoped to the production datastore only
  • Available on Dedicated plans and some Shared plans on request
Threat model

Attack vectors covered by the immutable datastore

Filesystem unmount closes four attack scenarios: customer API token compromise, Proxmox VE compromise with access to the main datastore, operator mistake on the production target, ransomware that gained shell on the PBS server. None of these vectors can reach the immutable copy because its filesystem is not mounted at attack time.

  • Customer API token unusable against the immutable copy
  • Compromised PVE has no route to the immutable target
  • Ransomware on PBS does not see the copy's filesystem
NIS2 article 21 compliance

Verifiable immutable layer for NIS2 and 3-2-1-1-0

The 3-2-1-1-0 rule recommended by ANSSI, the NCSC and CISA adds the immutable "1" to the historical 3-2-1 rule. NIS2 article 21 transposed into French law requires a copy resilient to insider compromise. The Cloud-PBS immutable datastore produces this audit-verifiable property, with a monthly operations report detailing sync cycles and integrity verifications.

  • Monthly operations report usable for NIS2 audit
  • Immutable layer distinct from the production target
  • Storage operated exclusively in the European Union
Tier 2 coming

Tier 2: LTO air-gapped in datacenter vault (Q3 2026)

For two extreme scenarios (the cloud operator itself compromised, a patient advanced persistent threat), you need a physically disconnected tier. Cloud-PBS is preparing for the third quarter of 2026 a long-term archival tier built around LTO tapes: write through a dedicated robot, eject from the robot after writing, store in a fireproof cabinet with audited access, re-inject on demand for one-off restoration or DR testing. Early access opens first to French customers, with the LTO vault physically located in France.

  • True physical air-gap, tape ejected from the robot after writing
  • Early access for French customers in the third quarter of 2026
  • Fireproof vault with audited access, under French law

Who is it for?

NIS2 compliance

Essential and important entities that need to prove an immutable backup layer to the regulator. The immutable datastore covers the requirement today.

Cyber insurance audit response

More and more insurers require an immutable copy as a prerequisite for ransomware coverage. The Cloud-PBS monthly operations report serves as evidence.

Ransomware recovery

When ransomware compromises PVE and tries to delete backup snapshots, the immutable copy stays intact by construction. Recovery is possible from the last known intact copy.

Long-term regulatory archival

Data retention subject to multi-year obligations (health, finance, connection metadata). The immutable copy retention is driven outside the daily operational perimeter.

Frequently asked questions

What is the difference between immutable datastore and LTO air-gapped?
The immutable datastore uses filesystem unmount as a software air-gap: the copy exists on disk but is not exposed to the filesystem outside the sync window. LTO air-gapped is a physical air-gap: the tape is ejected from the robot after writing and kept in a disconnected vault. Both cover ordinary external attacks; LTO additionally covers compromise of the cloud operator itself and patient advanced persistent threats.
When will the LTO tier be available?
Early access for French customers in the third quarter of 2026. Germany extension immediately after on the Frankfurt partner site. United States extension later, contingent on EU-side maturity and demand.
How do I reserve a slot for LTO early access?
Contact us with "early access LTO" as the subject, describing your current scope (backed-up volume, desired archive frequency, regulatory constraints).
Is the immutable datastore a real air-gap?
No. It is a software air-gap: disks stay connected and powered, only the filesystem is unmounted between cycles. For a true physical air-gap (LTO tape ejected from the robot), wait for tier 2 in the third quarter of 2026. To understand exactly what tier 1 covers, see the dedicated [Immutable backup page](/immutable-backup/) and the [technical architecture documentation](/docs/security/immutable-datastore-architecture/).
Is the immutable datastore charged extra?
On Dedicated plans the option is included according to the chosen tier. On Shared plans it is available on quote based on the backed-up volume and desired sync frequency.

Enable the immutable layer on your Cloud-PBS account

Immutable datastore available today on Dedicated and Shared plans on request. LTO pre-registration for French customers in the third quarter of 2026.

Request activation