Required First Steps

  • Updated on Jan 31, 2026
  • Published on Jan 27, 2026
  • 4 minute(s) read
Prev Next

Work through the steps before you flag any protection policy or snapshot as indestructible. This procedure ensures that you have a secure way to unlock the indestructibility as and when you need to and that only specifically authorized users may do so.

Step 1: Enroll Users with Authorization to Unlock Indestructibility

Prior to first use of the indestructibility feature, contact VAST support to enroll users with the authorization to unlock the indestructibility mechanism in case of need. The Support agent will guide you through the process. The process will establish how support agents will verify requests to unlock the indestructibility mechanism. It is necessary to provide more than one user account.

Whenever any of the authorized account owners requests a token from support to unlock the indestructibility mechanism, another of the authorized account owners must be available to Support within an hour of the request in order to cross authorize the request.

Step 2: Set the Indestructibility Password

In this procedure, you will unlock the indestructibility system with the aid of the default indestructibility password and then set a new indestructibility password for use in the future if you ever need to unlock the indestructibility system such as for pruning indestructible snapshots, modifying indestructible protection policies or other restricted tasks.

You can use the VAST Web UI or the VAST CLI.

Set the Indestructibility Password from the VAST Web UI

  1. Contact VAST Support using your pre-authorized user account. Explain that you would like to request a support token for unlocking the mechanism for the first time in order to set the indestructibility password.

    You will be asked to provide a VMS generated token and additional information for verifying your identity. Wait until a support agent responds to your request and is available to receive a VMS generated token from you and provide you with a support token in return. The reason for waiting is that the VMS token is valid for one hour.  

  2. When you are ready to generate a VMS token, open the VAST Web UI, navigate to the Indestructibility Settings page. You can do this by searching or you can select Settings from the left navigation menu and then select Indestructibility.

  3. Enter LockPasswd in the Indestructibility Password field. This is the default password.

  4. Click Generate Token.  VMS generates a token. The VMS-generated token is displayed in the Generated Token field.

    The token is valid for one hour.

  5. Provide the token to the support agent. The support agent will seek additional authorization from another authorized user. After further authorization, the agent will provide the support token.

  6. Enter the support token into the Support Token field.

  7. Click Unlock System.

    The indestructibility mechanism will now be unlocked. The status displayed at the top right of the Indestructibility settings page changes to Unlocked.

  8. In the  Restore Password section, click  Modify Password.

  9. Enter LockPasswd (the default indestructibility password) into the Old Indestructibility Password field.

  10. Enter a new password into the New Indestructibility Password field. The password must have at least eight characters.

  11. Re-enter the same new password into the Confirm Password field.

  12. Click Modify and then click Yes to confirm the change.

Set the Indestructibility Password from the VAST CLI

  1. Contact VAST Support using your pre-authorized user account. Explain that you would like to request a support token for unlocking the mechanism for the first time in order to set the indestructibility password.

    You will be asked to provide a VMS generated token and additional information for verifying your identity. Wait until a support agent responds to your request and is available to receive a VMS generated token from you and provide you with a support token in return. The reason for waiting is that the VMS token is valid for one hour.  

  2. When you are ready to generate a VMS token, run the indestructibility unlock command and supply the default password: 

    vcli: admin> indestructibility generate-token --indestructibility-passwd LockPasswd

    This will generate a VMS token.

  3. Provide the token to the support agent. The support agent will seek additional authorization from another authorized user. After further authorization, the agent will provide the support token.

  4. Run the indestructibility unlock command to unlock the system using the token provided by support:   indestructibility unlock

    vcli: admin> indestructibility unlock --challenge-token ******
System unlocked

    The indestructibility mechanism is now unlocked.

  5. Change the password by running the indestructibility modify command with the --new-indestructibility-passwd option:

    indestructibility modify --indestructibility-passwd LockPasswd --new-indestructibility-passwd ********

    If you wish, you can also change the password restore delay in the same command line using the --passwd-delay option. The password restore delay postpones a user-initiated restore of the indestructibility password. The default is one day.

    The indestructibility mechanism will automatically lock again one hour after it was unlocked. No further action is necessary.

Related articles
  • Required First Steps
    VAST Cluster > Version 5.3 > VAST Cluster 5.3 Administrator's Guide > Data Protection > Indestructible Backups
  • Required First Steps
    VAST Cluster > Version 5.2 > VAST Cluster 5.2 Administrator's Guide > Data Protection > Indestructible Backups
  • Required First Steps
    VAST Cluster > Version 5.0 > VAST Cluster 5.0 Administrator's Guide > Data Protection > Indestructible Backups