One issue with most backup solutions is that an attacker controlling the local system can also wipe its old backups. To prevent this the backup must permit append-only backups (also called add-only backups). Restic is a sophisticated backup tool which is easy to use, supports encryption and many backends to store the data. In combination with rclone it can be used to support append-only backups. The goal of this guide is to convert regular restic backups via SFTP to support append-only backups.
Lets assume the following setup: The backup is running on the current host and
is saved via
restic to the host
example.org in the directory
data in the
home directory of the user
user. Backups are thus currently performed with:
restic -r sftp:firstname.lastname@example.org:data backup ...
rclone must be installed on
Then the SFTP setup must be changed to permit regular SSH logins (this
prevents the easy use of chroot with
ForceCommand internal-sftp) and the
following force command must be configured for
user (normally in
restrict,command="rclone serve restic --stdio --append-only ./data" ssh-rsa ...
This way each login of
user with this key will forcibly run
--append-only flag, preventing modification and removal of files.
Password logins must be disabled! An alternative is to use
/etc/ssh/sshd_config inside a
./data is the path relative to
user's home where the backup is stored. Ensure this cannot be used to
This leaves only the modified backup command:
restic -o rclone.program='ssh email@example.com forced-command' -r rclone: backup ...
restic to use the
rclone backend with the given ssh command.
forced-command is optional but helps to document that all given arguments
are discarded and replaced by SSH.
backup all regular
restic commands can be used. However, as
intended, all modifications to the backup repository will be forbidden.
backLast updated 2019-03-09 18:02:51 CET