Comments on Economical append-only offsite backups with restic and Wasabi on Debian 10
This guide shows how to install and configure the free backup software restic on Debian Buster to store off-site backups at the cloud storage company Wasabi. The main advantage of this guide is that it provides obligatory append-only backups. This means that once a backup has been made, it is secure in the sense that it cannot be overwritten or erased from the system the backup was made from.
4 Comment(s)
Comments
btw... we are maintaining a tiny patch for restic to achive the same with _far_ less complexity as described in your howto.
https://github.com/mgit-at/restic/tree/backup-nolock
With this you can directly backup into Google Cloud Storage Buckets without edit permissions (just write and read), means you can create a backup that can not tempered in any way after creation.
Hi Michael!
That looks like an interesting patch! Are you planning to try to have it integrated into the master tree of restic? For those that prefer to have security updates installed automatically through their package manager it would be great to have the functionality directly in restic.
Cheers,
Thomas
Am I right in thinking that after following the above instructions, any random user on the local system gets access to read and write to wasabi buckets at http://localhost:8001 and http://localhost:8002 ?
Mike, that's correct. With this solution, any local user would be able to access the Wasabi buckets. They would not have write access to the backups, because the backend was configured to be immutable (https://www.howtoforge.com/economical-append-only-offsite-backups-with-restic-and-wasabi-debian/#-set-the-data-bucket-to-be-immutable-appendonly), but they would have read access to everything.
It may be possible to mitigate this by running these services in a private network namespace (e.g., https://cloudnull.io/2019/04/running-services-in-network-name-spaces-with-systemd/).