Disclaimer: I tried to find this on the forums, but couldn’t get a clear answer
Hi there!
Backblaze B2 offers something called “Object Lock” (How Object Lock Protects Your Data From Ransomware) that prevents removing objects for a specified period of time, and that can be used as a protection for ransomware or other malware preventing them to delete your healthy snapshots for a number of days (at least this is what I understood ).
But I’m not very clear how this should be enabled, or if this setting could be configured per snapshot-basis when performing the backup from restic.
My question is: How should I enable the Object Lock feature for B2 backend for an existing backup/bucket? Can this be configured straight in restic somehow? And what’s the best or recommended practice for this?
There’s unfortunately no support for Object Locks in restic so far.
To manually enable object locks, it would be necessary to periodically extend the lock for all objects that have not been deleted in the meantime, followed by a check run to verify that the repository is intact.
However, there are still a few problematic corner cases that are not covered by that approach.
What do you mean by “periodically extend the lock for all objects that have not been deleted in the meantime”?
Probably I’m not fully aware on how Object Locks work in the remote side.
Isn’t that simply a protection to avoid undesired/unauthorized snapshot removals? I mean, in case I would activate a 7-day lock on the B2 bucket, and then I try to do restic forget --prune <yesterday's snapshot>, would the remote B2 repository simply reject the deletion? Would that cause any harm or undesired side-effect?
In general, do you think it is good idea or safe to enable Object Lock in the remote bucket?
Thank you!
N.B. My use case is a homedir backup on daily basis using the Backblaze B2 backend.
Object Locks in B2 work in a somewhat different way, but the interaction with restic’s repository structure makes things far more complex. Let’s start with plain Object Locks: it is still possible to hide files in a bucket, such that restic won’t see them anymore, however, the files cannot be deleted until the Object Lock expires. Restoring such a snapshot would currently require to manually undelete these files.
A snapshot created by restic consists of several files, in particular the deduplication makes use of files from older snapshots. Thus, to guarantee that a snapshot can be restored for a certain period, all relevant files must be protected with a sufficiently long Object Lock. Just applying an Object Lock once therefore won’t work.
Isn’t the B2 Object Lock simply taking from S3-API-Design perspective with Object-Locking which enables Versioning too?
I’m saying I use Minio S3 specifically for that reason - with Object Locking and Versioning enabled. Then I give only PutObject Permissions for the Restic Client.
That way the possible ransomware can try to override the files in the S3 bucket until you run out of storage … which still does not hinder you from rolling back to the initial version.