Covert Copy: The Strongest Air Gap You’ll Never Notice

In a world full of ransomware alarms, red alerts, and blinking dashboards, the smartest move isn’t to react. It’s to be ready. Imagine being able to tuck away a copy of your data so securely that even the most determined intruder couldn’t find it, let alone touch it.

That’s the idea behind Wasabi Covert Copy: a built-in, operator-friendly way to create a true air gapped version of your most important data. No custom networking. No manual policies. No expertise in IAM rules. Just a few clicks, a quick verification, and you’ve created an untouchable vault inside your Wasabi account.

To understand why this matters, and why doing it well in the cloud is harder than it sounds, it helps to start with how air gaps have evolved.

The evolution of the air gap

The concept of an air gap isn’t new. In fact, it’s one of the oldest ideas in data protection: keep your backups physically or logically separated from the systems that might compromise them. In traditional IT environments, that might mean shipping backup tapes offsite or keeping isolated storage arrays disconnected from production networks.

In modern cloud environments, it’s trickier. The “air” between your data and attackers is no longer physical. These days, it’s logical, enforced through permissions, access controls, and APIs. And, in some cases, entirely different storage providers.

Many vendors have tried to recreate this concept for the cloud age. Some offer do-it-yourself “air gap as a service,” combining layers of multi-factor authentication (MFA), manual network configuration, and custom scripts to simulate isolation. Others offer it as an expensive managed service that requires someone else to handle these manual steps.

The problem is that this kind of air gap doesn’t just add cost. It adds a new dependency: the human element. Every extra step creates another moment where something can be misread or rushed during a busy week or a high-pressure incident. As S&P and 451 Research found, misconfiguration or human error is often the root cause of a significant share of cloud data breaches.

That’s how you end up with an air gap that’s technically possible but operationally fragile. So we asked ourselves: What if the safest air gap was also the easiest to implement and the hardest to undo?

Enter Covert Copy

Covert Copy is a patent-pending, built-in way to create an air-gapped version of your data inside your Wasabi account. It’s not a new product or an add-on. It’s part of the platform, designed to give you a protected recovery copy without extra infrastructure or ongoing manual work.

What is a “Covert Copy”?

A Covert Copy is a new bucket type designed to hold an air-gapped copy of data with minimal visibility and tightly controlled access.

You decide what you want to protect, such as a business-critical dataset in a bucket, and then Wasabi creates a copy of the contents. That’s the “copy” part.

The bucket is automatically unlisted from standard S3 list bucket requests. The objects are also unlisted, unless you are specifically granted access to temporarily read/egress them via a multi-user authorization (MUA) request. That’s the “covert” part.

Covert Copy buckets and objects are only accessible to the root user and are protected with MFA and MUA. There isn’t a single action that you can take on the bucket without completing some form of secondary authentication and authorization.

To take it to the next level, all the objects within the bucket are permanently immutable, using S3 Object Lock and several other integrated S3 restrictions.

How it works: Simplicity as a security feature

Every Covert Copy you create is a point-in-time capture of the dataset you’ve chosen to protect. It creates a copy of your data that is frozen in time, in a separate bucket, and can never be altered for as long as you decide to keep it around.

Creating a Covert Copy is intentionally straightforward. Start with the bucket that contains the data you want to protect. In the action menu for that bucket, you’ll see the Covert Copy option.

Wasabi then checks that you have MFA enabled and that you’ve configured the two special MUA activities required. If you haven’t, the console flags what’s missing and points you to the right place to complete it. Those extra checks aren’t just guardrails; they’re part of what makes the system resilient against insider and external threats alike.

Once verified, you’ll select what data to protect, confirm with your MFA code, and click to create. Behind the scenes, Wasabi starts a replication process, quietly and securely copying your data to an invisible Covert Copy bucket.

Within minutes, your data is:

• Safely duplicated into a hidden bucket

• Perpetually immutable until you decide to delete it

• Hidden from anyone but the root user

The process of configuring Covert Copy is self-service, so you stay in control of what data you are protecting. But the process is automated, so there’s no room for human error.

Diving deeper

Covert Copy is enforced through a small set of controls working together:

• S3 API isolation: Covert Copy buckets prevent object write and delete operations and restrict List APIs unless access is explicitly granted.

• MFA enforcement: Every administrative-related change requires MFA.

• MUA framework: Built-in approval workflow ensures no single user can unilaterally modify or access Covert Copy data.

• Object Lock integration: All replicated objects have immutable retention policies, auto-renewed to maintain protection continuity.

• Visibility controls: Covert Copy buckets are visible only within your account’s console when logged in as the root user, not via public APIs, ensuring they remain covert.

The result is true logical isolation, implemented through the very APIs that define cloud object storage itself. That’s critical for compliance and even more critical when you’re explaining your ransomware recovery strategy to an auditor, a partner, or your own CISO.

Covert Copy bucket management is also transparent and simple. There are only two things you need to keep track of: bucket status and auto-renew status.

Bucket status

The bucket status lets you know the condition of your bucket:

• In progress: Data is still being copied, but objects are already protected.

• Covert Copy completed: The copy is complete, data is sealed, and retention is active.

• Action required: Retention has elapsed and auto-renew is off, though data remains safeguarded.

• Error/failed: A rare case indicating that replication didn’t complete. These can be retried or recreated with ease.

Auto-renew

Auto-renew is essentially perpetual Object Lock cycling that adds an extra layer of protection to prevent the ability to delete the bucket. Similar to the way modern backup software handles immutable backups, each renewal extends protection automatically.

Covert Copy uses this auto-renew functionality to renew Object Lock on every object in the bucket every 30 days until you’re ready to delete the bucket. Once you disable auto-renew, the 30-day timer will stop renewing and the bucket will move into an “Action Required” state, indicating it can be deleted with MUA approval, once the retention expires.

But even then, your objects are not suddenly exposed. They remain immutable until deleted, even without Object Lock, and you can re-enable auto-renew at any time to extend their protection window against bucket deletion.

Think of auto-renew as a representation of the lifecycle of your Covert Copy buckets. You only turn it off when you no longer need the data and are ready to delete the bucket.

Recovery access paths

When disaster strikes, whether it’s a ransomware event or an accidental deletion, you may need to restore data from a Covert Copy into your production environment to get back to business as usual. There are two methods to get access, depending on the severity of your situation:

1. Self-service access for targeted restores. If you need a few objects or folders out of your Covert Copy bucket, you can request time-bounded access through self-service. Your designated MUA security contacts (those assigned the air gap access activity) receive an alert and have 15 minutes to approve. Once approved, you gain temporary access for 24 hours.
   
   During that period, the system temporarily lifts specific API restrictions, allowing GET and List operations while maintaining write immutability. These can be done via the Wasabi Console or programmatically via your S3 client of choice.
   
   Once the window closes, the air gap seals itself again. No lingering permissions or cleanup scripts. This trusted window model ensures that even legitimate recovery activities don’t compromise the data's integrity.
   

2. Recovery Mode for full restore workflows. If you need all the data out of your bucket or need to recover it to your backup application, you can engage with Wasabi Support to enable Recovery Mode. This is an “in case of emergency, break glass” tool that surfaces the bucket into the standard list buckets response, making the objects visible and fully accessible to your backup application.
   
   Even in Recovery Mode, your data is still immutable. After recovery is complete, the bucket returns to its prior hidden state.

Best practices

Covert Copy fits a range of protection scenarios, especially when you need a recovery copy that’s intentionally difficult to discover, modify, or delete, like:

• Ransomware-resilient backups

• Regulatory archival storage

• Insider threat mitigation

If the data is mission-critical, it’s a good candidate for Covert Copy. It’s recommended that you keep at least one Covert Copy of your most sensitive datasets at any given time.

Because each Covert Copy is a point-in-time capture, it’s worth refreshing periodically so the protected copy stays useful during recovery. A common approach is to create a new Covert Copy every 90–120 days for the buckets you care about most, then disable auto-renew on older copies so they can be deleted when you’re ready to retire them.

Before you create a new Covert Copy, should you wish to get rid of your old one, make sure to disable auto-renew so that you can delete the stale copy when the time comes.

Note that Covert Copy works best as a sealed recovery layer, not an everyday destination bucket for routine data management. Treat it like a vault: put the right things in, verify you can get them back, and leave it sealed unless you need it.

Ready when you are

An air gap only works if it’s both secure and sustainable. Covert Copy gives you that balance: isolation enforced by the storage layer, protection that holds, and a recovery path you can trust under pressure.

You don’t have to think about it every day. You just have to know it’s there. Sometimes, the most powerful protection is the one you never notice, and it’s available today in the Wasabi Console.

Learn more about how Covert Copy can strengthen your data protection strategy, or simply sign in to your Wasabi account and give it a try.

Talk to a storage expert