Managing the Indestructibility Mechanism

  • Updated on Jan 31, 2026
  • Published on Jan 27, 2026
  • 5 minute(s) read
Prev Next

A single indestructibility protection mechanism protects all indestructible protection policies and snapshots on the cluster. The mechanism is locked by default and must be unlocked by a secure procedure in order to perform various protected tasks, such as deleting indestructible snapshots.

A dedicated password is used in the procedure for unlocking the indestructibility mechanism. The password has a default value and can be changed only after unlocking the indestructibility mechanism. It is recommended to change the password from its default value as soon as possible after installation or upgrade of the cluster and before setting any snapshots or policies as indestructible.

If the password is forgotten, it can be restored to its default value. In order to ensure that an attacker cannot do this easily, there is an automatic delay whenever a password restore request is made. The password is not restored until after the password restore delay period, which is one day by default.

Only specially authorized users can unlock the indestructibility mechanism and change the indestructibility password. For the initial steps for establishing authorized users and setting the password for the first time see Required First Steps.

Checking Current Status of the Indestructibility Mechanism

The Indestructibility settings page of the VAST Web UI displays Locked or Unlocked, so that you can easily see the current status.  

The following VAST CLI commands display details of the indestructibility configuration: indestructibility show, indestructibility list

Unlocking the Indestructibility Mechanism

This procedure unlocks the indestructibility system and therefore enables VMS users to delete and modify indestructible snapshots and/or protection policies. It can be done only by personnel previously enrolled by VAST Support as users authorized to unlock the indestructibility mechanism.

The indestructibility mechanism remains unlocked for 60 minutes. During that time, VMS users can:

  • Modify an indestructible protection policy, including changing the snapshot schedule and shortening the retention period for snapshots.

  • Modify a protected path that points to an indestructible protection policy, including pausing the path.

  • Delete indestructible snapshots.

  • Shorten the expiration time of indestructible snapshots.

  • Change the indestructibility password.

  • Change the indestructibility password restore delay.

Unlock Indestructibility from the VAST Web UI

  1. In the VAST Web UI, select Settings from the left navigation menu and then select Indestructibility and then System unlock.

  2. Enter the Indestructibility Password in the field provided.

  3. Contact VAST Support using your pre-authorized user account. Request a support token for unlocking the mechanism.

    You will be asked to provide a VMS generated token and additional information for verifying your identity.

  4. Click Generate Token.  VMS generates a token. The VMS-generated token is displayed in the Generated Token field. s

    The token is valid for one hour.

  5. Provide the token to support. The support agent will seek additional authorization and provide the support token.

  6. Enter the support token into the Support Token field.

  7. Click Unlock System.

    The indestructibility mechanism will now be unlocked. The status displayed on the Indestructibility settings page changes to Unlocked.

    The indestructibility mechanism will automatically lock again one hour after it was unlocked.

Unlock Indestructibility from the VAST CLI

  1. Contact VAST Support using your pre-authorized user account. Request a support token for unlocking the mechanism. You will be asked to provide the VMS generated token and additional information for verifying your identity.

  2. Run the indestructibility generate-token command to generate a VMS token.

  3. Provide the VMS token to Support. The support agent will seek additional authorization and provide the support token.

  4. Run the indestructibility unlock command to unlock the system using the token provided by support.  

Changing the Indestructibility Password

Changing the password requires unlocking the indestructibility mechanism.

Change the Indestructibility Password from the VAST Web UI

  1. Unlock the indestructibility mechanism.

  2. In the Indestructibility settings page, in the Settings area, enter the old indestructibility password into the Old Indestructibility Password field.  

  3. Enter a new password into the New Indestructibility Password field. The password must have at least eight characters.

  4. Re-enter the same new password into the Confirm Password field.

  5. Click Modify and then click Yes to confirm the change.

Change the Indestructibility Password from the VAST CLI

  1. Unlock the indestructibility mechanism.

  2. Run the indestructibility modify command with the --new-indestructibility-passwd option.

    Note

    You can change the password reset delay with the same command in the same command line.

Restoring the Default Indestructibility Password

In case of a forgotten indestructibility password, it is possible to restore the default password and then change it again to a new secure password.

When you restore the password to default, there is a delay until the password restore takes effect. The delay provides additional security in case of a rogue admin using VMS to restore the password. Throughout the duration of the password restore delay period, an alarm is raised. The alarm is raised to alert you that a password restore was initiated in case it was initiated by an unauthorized user. In case you suspect that a rogue admin has initiated a reset, please contact VAST Support and we will assist you.      

The delay is one day by default and can be changed while the indestructibility mechanism is unlocked.

Restore the Default Indestructibility Password from the VAST Web UI

  1. In the VAST Web UI, select Settings from the left navigation menu and then select Indestructibility.

  2. Click Restore Password and then click Yes to confirm the action.

    A count down now begins towards restoring the password to its default value. A counter is displayed in the Indestructibility settings page to enable you to track the time remaining until password restore is done.

Restore the Indestructibility Password from the VAST CLI

Run the indestructibility reset-passwd command.indestructibility reset-passwd

Changing the Password Restore Delay

The delay is one day by default. The password restore delay can be changed while the indestructibility mechanism is unlocked. The minimum delay is one minute.

Change the Indestructibility Password Restore Delay from the VAST Web UI

  1. Select Settings from the left navigation menu, then select Indestructibility and then Settings.

  2. Enter your chosen delay time in the Password restore delay field as an integer followed by m for minutes, h for hours or d for days. For example: enter 5d to set the delay to five days.  

  3. Click Modify and then click Yes to confirm the change.

Change the Indestructibility Password Restore Delay from the VAST CLI

Run the indestructibility modify command with the --passwd-delay option.

Note

You can change the password with the same command in the same command line.

Related articles