Soft Delete

Setup Usage

This page describes the soft delete feature, which preserves deleted or overwritten objects for a specified length of time. The soft delete feature helps to protect your data from accidental or malicious deletion.

Overview

Soft delete retains deleted objects whether deleted by a delete command or because of an overwrite, ensuring that bucket data is captured and preserved. Soft delete is enabled during the bucket creation process.

When you delete an object from your bucket with soft delete enabled, the following occurs:

  • The deleted object enters a soft-deleted state. In this state, you can't modify the object in any way, and Cloud Storage features like Autoclass and Object Lifecycle Management don't apply to or affect soft-deleted objects.

  • The soft-deleted object is invisible to the bucket except when you explicitly list or restore soft-deleted objects and the object data contained within the soft-deleted object cannot be read.

  • The bucket retains the soft-deleted object and the metadata of the object at the time it was soft-deleted for a specified retention duration up to 90 days. By default, this retention duration is seven days.

  • Cloud Storage deletes the object permanently after the soft delete retention duration has elapsed. If you no longer want to retain data after deletion, you can disable a soft delete policy. For more information, see Manage soft delete policy.

Considerations before adding a soft delete policy

Soft delete is enabled on new buckets by default with a retention duration of seven days. You can also specify a retention duration of up to 90 days during or after bucket creation. If an existing bucket doesn't have soft delete enabled, you can add a soft delete policy to it. Before you add or change a soft delete policy on an existing bucket, consider the following:

  • Updating a bucket's soft delete policy only applies to objects that you delete after the soft delete policy takes effect. Objects that you deleted prior to the update are retained for the duration that was in effect when they were deleted.

    For example, say you enable a soft delete policy in your bucket with the default retention duration of seven days, and then you delete the object cat.png. In this scenario, cat.png is retained as a soft-deleted object for the next seven days, and then it's permanently deleted. This occurs even if you later change or remove the soft delete policy for your bucket.

    • You can disable a soft delete policy if needed. For more information, see Manage soft delete policy.

    • If you disable a soft delete policy from your bucket that has soft-deleted objects in it during the time of disablement, Cloud Storage retains the soft-deleted objects for the specified retention duration before permanent deletion.

    • After disabling a soft delete policy on your bucket, Cloud Storage doesn't retain deleted data once a delete operation is performed.

    • You cannot force delete a soft-deleted object. This is to prevent malicious or accidental deletion. To prevent your bucket from further retaining soft-deleted data, we recommend disabling your bucket's soft delete policy.

Soft delete retention duration

When you create a Cloud Storage bucket, the soft delete feature is enabled by default with a retention duration of seven days. During the retention duration, you can restore deleted objects, but after the duration ends, Cloud Storage permanently deletes the objects. By updating the bucket's configuration, you can increase the retention duration to 90 days or disable it by setting the retention duration to 0. The minimum number of days with soft delete enabled is seven days.

The soft delete retention duration is measured in seconds; however, some tools, like the Google Cloud console and the Google Cloud CLI, enable you to set and view retention duration with other units of time for convenience.

The following conversions apply in such cases:

  • A day is considered to be 86,400 seconds.
  • A month is considered to be 31 days, which is 2,678,400 seconds.

For the gcloud CLI, when specifying a retention period, you specify an integer and a unit, where the unit can be s, d, or m to signify seconds, days, or months, respectively. For example, 7d43200s sets a retention period of 7 days and 43,200 seconds (seven and a half days).

You can set a maximum retention duration of 7,776,000 seconds (90 days) or a minimum retention duration is 604,800 seconds (7 days). When using REST APIs, you can also set the retention duration to a value of 0, which disables the soft delete policy.

Restore behavior

When you restore a soft-deleted object, Cloud Storage creates a copy of the soft-deleted object in the same bucket the object was deleted from. The restored object's metadata is the same as the metadata of the deleted object. At the end of the soft delete retention duration, Cloud Storage permanently deletes the soft-deleted object.

You can restore the soft-deleted objects before the soft delete retention duration ends.

  • For the restore to be successful, you must start the restore early enough to be able to complete it within the soft delete retention duration, as objects are permanently deleted after that duration ends.
  • You can restore the soft-deleted objects synchronously by specifying a list of objects, or you can create a long-running operation to bulk restore objects deleted between two timestamps.
  • Cloud Storage always restores objects to the same bucket from where they were originally deleted.

If you delete your project, Cloud Storage permanently deletes all the buckets and objects within that project. In such a scenario, you cannot restore objects and buckets using the soft delete feature. Therefore, it is important to take steps to limit access to project-level deletions, such as placing a lien on projects or backing up business-critical data to buckets in a different project.

When you restore a soft-deleted object version, Cloud Storage restores the copy of the soft-deleted object to a live version. If a live version already exists, the copy of the soft-deleted version replaces the live version, and the pre-existing live version becomes soft-deleted. In such a scenario, your bucket contains the following objects:

  • The replaced live object that is in the soft-deleted state
  • Two copies of the previously soft-deleted object – one live copy and one still-soft-deleted copy

All these object copies incur storage charges until the soft-deleted objects are permanently deleted after the retention duration is over. For more information about costs associated with soft-deleted objects, see Cloud Storage pricing.

Cloud Storage also copies the metadata of restored soft-deleted objects when replacing the live object. This means that object-level security metadata and settings like storage class are set to the last state of that specific object version upon restore.

Soft-deleted objects are not permanently deleted upon bucket deletion. However, the correct bucket version must be restored before it is possible to restore the soft-deleted objects inside it. To restore a soft-deleted bucket, contact Google Cloud Support.

Considerations with other features

When soft delete is enabled, it has the following interactions with other Cloud Storage features:

  • Object Lifecycle Management

    • Object Lifecycle Management rules don't affect soft-deleted objects.

    • Objects deleted by Object Lifecycle Management become soft-deleted.

  • Object Versioning

    When you delete a noncurrent object, it becomes soft-deleted.

  • XML API multipart uploads

    XML API multipart upload parts are not protected by soft delete.

  • Autoclass

    • Autoclass management fees are not assessed for soft-deleted objects.

    • Autoclass does not change the storage class of soft-deleted objects.

    • When you restore of a soft-deleted object, the resulting object is set to the Standard storage class.

  • Bucket Lock and Object Retention Lock features

    You can't delete objects until they fulfill their retention policies, even if soft delete would retain the object for a sufficient duration.

  • Pub/Sub notifications

    Restoring a soft-deleted version of an object triggers an OBJECT_FINALIZE event.

  • Managed folders

    • soft delete doesn't apply to managed folders.

    • If you soft delete an object and delete a managed folder that grants IAM policies for the object, you might not have permission to restore the soft-deleted object until you have recreated the IAM policies associated with the managed folder.

  • Tags

    If you create a bucket without including a soft delete setting yourself, the Cloud Storage default is to create the bucket with a seven day soft delete retention duration. You can change this default by using a tag. The tag can change the default retention duration for new buckets to be any value between 7 and 90 days, or it can change the default to disable soft delete on new buckets. You can also use tags to disable soft delete by default.

What's next