I’m investigating replacing an existing backup server (non-restic based) with a cloud storage (and restic).
One of the features of the existing server is that it uses a pull model so that if the machines which are being backed up get compromised, the backups (which are versioned) can still be trusted.
I’m aware of the --append-only flag for the REST server, but wanted to look at options for using cloud storage.
I’ve not used Backblaze, but I noticed that it supported application keys, so that you could create a key without delete permissions.
Would it be feasible to create an application key for each server with write-only permissions, and have a separate secured server (e.g. one which requires physical access to log in) perform the prune, and check operations (and maybe make that the only option for restores) by creating an extra application key and granting it full permissions over the restic b2 bucket which the “main” server backs up to?
Would it also be possible to share a bucket between multiple servers and use application key permissions prevent compromised servers reading data which other servers have backed up? I’m assuming metadata needs to be read by each restic client, so that this might not be possible (however application keys can be limited to specifc file prefixes, so maybe it could be made to work?).