restic is a deduplication backup sofware, designed for ease of use and security. Rclone is a versatile program for syncing data between a huge variety of protocols and cloud providers. What is especially nifty is that restic can use rclone as a backend, and by that extend restic destination into most cloud providers.
Setting up an automated backup from one macine is no problem. This can be done quite easily with
restic -p password_file -r sftp://user@destination/srv/backups init
Backups is then done with
restic -p password_file -r sftp://user@destination/srv/backups backup /srv/backmeup
If a malicious actor has access to the source machine, they will have read and write access to the backup on the destination. To avoid giving the malicious actor write access to already existing backups, we need to ensure that existing backups on the destination never is changed. This is done by making the destination immutable. When data is written, it cannot be changed later.
This can be solved in couple of ways
- Use a immutable backend, in example immutable object storage in the cloud.
- Make any destination immutable by relying all traffic through a secured rclone proxy with the
Design, rely traffic through proxy
source intermediate destination +---------------+ +--------------+ chosen +-----------+ | | SSH | rclone | transport | favorite | | /srv/backmeup | ----> | append only | ----------> | cloud | | | | rely | | storage | +---------------+ +--------------+ +-----------+
Create a SSH key on the source without a password.
ssh-keygen -t ed25519 -f .ssh/id_ed25519 -N ''
Cat the newly created key
Secure the intermediate server as you see fit. Do not allow unrestricted SSH from the source.
Log in as your user, in this example
Create a rclone profile, in this case it's called myprofile.
Test the profile.
rclone ls myprofile:
Allow source to SSH into intermediate and run a very limited rclone which only may append data to myprofile. Edit
restrict,command="rclone serve restic --stdio --append-only myprofile:backups" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAS2qJU7yIDRVY9cgjyJ0tGM32aB/aaeSwjQ0O/RTN6d
Back on source
Create a unique password for the backup. Take note of this password! You will not be able to restore without it.
apg -m 32 | head -1 > restic.pwd chmod 400 restic.pwd cat restic.pwd
Initiate restic backup repository.
restic -o rclone.program='ssh user@intermediate' -p restic.pwd -r rclone: init
Back up your data.
restic -o rclone.program='ssh user@intermediate' -p restic.pwd -r rclone: backup /srv/backmeup
Create a job that run restic regularly.
You can use all restic commands as normal, except repair and cleanup commands.
Now you have a source which backs up data online.
If the source get compromised, the malicious actor cannot
- Delete or change old backups.
- Know final destination of backups.
- source should newer have normal SSH into intermediate
- Access to intermediate should be restricted. 2FA is recommended, example YubiKey.