Hi, I’m looking to start using restic for backups, most likely using S3 or similar as the backend. I had a question about this section in the design doc:
However, the restic backup program is not designed to protect against attackers deleting files at the storage location. There is nothing that can be done about this. If this needs to be guaranteed, get a secure location without any access from third parties. If you assume that attackers have write access to your files at the storage location, attackers are able to figure out (e.g. based on the timestamps of the stored files) which files belong to what snapshot. When only these files are deleted, the particular snapshot vanished and all snapshots depending on data that has been added in the snapshot cannot be restored completely. Restic is not designed to detect this attack.
(I’m assuming that storage location refers to the repo located remotely, eg. S3, and not to the data files being backed up. If this is wrong, please disregard the rest of my questions )
I’m interested in better understanding the meaning of “Restic is not designed to detect this attack”. Hypothetically, if someone did alter the the repo as described, does it mean that subsequent backups would appear to work successfully, but then not be usable for restores because required data is missing? Or would the next backup attempt complete successfully and be valid (assuming no further files are deleted)?
I saw some more discussion of the threat model on GitHub, but it still didn’t quite clarify this scenario (to me anyway). I’m less concerned about the risk of random snapshots in the repo being manipulated, but I wanted to confirm that this wouldn’t affect subsequent backups.
Thanks for reading and I look forward to trying out restic!