Append-only backups with restic and rclone
source link: https://www.tuicool.com/articles/hit/IbMjQj6
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
One issue with most backup solutions is that an attacker controlling the local system can also wipe its old backups. To prevent this the backup must permit append-only backups (also called add-only backups). Restic is a sophisticated backup tool which is easy to use, supports encryption and many backends to store the data. In combination with rclone it can be used to support append-only backups. The goal of this guide is to convert regular restic backups via SFTP to support append-only backups.
Lets assume the following setup: The backup is running on the current host and
is saved via restic
to the host example.org
in the directory data
in the
home directory of the user user
. Backups are thus currently performed with:
restic -r sftp:[email protected]:data backup ...
First rclone
must be installed on example.org
.
Then the SFTP setup must be changed to permit regular SSH logins (this
prevents the easy use of chroot with ForceCommand internal-sftp
) and the
following force command must be configured for user
(normally in ~user/.ssh/authorized_keys
):
restrict,command="rclone serve restic --stdio --append-only ./data" ssh-rsa ...
This way each login of user
with this key will forcibly run rclone
with
the --append-only
flag, preventing modification and removal of files.
Password logins must be disabled! An alternative is to use ForceCommand
in /etc/ssh/sshd_config
inside a Match
-block. ./data
is the path relative to user
's home where the backup is stored. Ensure this cannot be used to
overwrite ~user/.ssh/authorized_keys
.
This leaves only the modified backup command:
restic -o rclone.program='ssh [email protected] forced-command' -r rclone: backup ...
This tells restic
to use the rclone
backend with the given ssh command. forced-command
is optional but helps to document that all given arguments
are discarded and replaced by SSH.
Instead of backup
all regular restic
commands can be used. However, as
intended, all modifications to the backup repository will be forbidden.
Last updated 2019-03-09 18:02:51 CET
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK