Append-only backups with restic and rclone

back

One issue with most backup solutions is that an attacker controlling the local system can also wipe its old backups. To prevent this the backup must permit append-only backups (also called add-only backups). Restic is a sophisticated backup tool which is easy to use, supports encryption and many backends to store the data. In combination with rclone it can be used to support append-only backups. The goal of this guide is to convert regular restic backups via SFTP to support append-only backups.

Lets assume the following setup: The backup is running on the current host and is saved via restic to the host example.org in the directory data in the home directory of the user user. Backups are thus currently performed with:

First rclone must be installed on example.org.

If the SFTP setup permits only SFTP it must be changed to permit regular SSH logins (this prevents the easy use of chroot with ForceCommand internal-sftp) and the following force command must be configured for user (normally in ~user/.ssh/authorized_keys):

This way each login of user with this key will forcibly run rclone with the --append-only flag, preventing modification and removal of files. Password logins must be disabled! An alternative is to use ForceCommand in /etc/ssh/sshd_config inside a Match-block. ./data is the path relative to user's home where the backup is stored. Ensure this cannot be used to overwrite ~user/.ssh/authorized_keys.

This leaves only the modified backup command:

This tells restic to use the rclone backend with the given ssh command. forced-command is optional but helps to document that all given arguments are discarded and replaced by SSH.

Instead of backup all regular restic commands can be used. However, as intended, all modifications to the backup repository will be forbidden.

back