I like to keep a local repository for systems being backed up to recover from human error (“oops, didn’t mean to delete that”) but keep a remote one for catastrophic failures, including hardware failures and attacks by malicious third parties. In the case of ransomware in particular, it’s vital to have an off-system append-only copy that the attacker cannot encrypt.
The problem is that there doesn’t seem to be a good way to implement this currently. There’s basically two options:
- Off-system, run an append-only REST server as well as a read-only mechanism (HTTP) for reading the repository. Back up to the REST server, then synchronize to the local repository from that.
- This requires running two services; we need a secondary server to sync the changes back since nothing but restic appears to talk the client half of the restic REST server protocol.
- Requires sending the data out and then fetching it back; inefficient, and also possibly needlessly expensive when outbound traffic from the off-system server is metered.
- Back up locally, then copy all new data to the off-system append-only REST server.
- There doesn’t appear to be any existing tool that can perform this copying.
- Use some other rclone-supported server that has an append-only storage mode.
- I’m not sure that any exist.
Am I missing something here? Is this possible today without resorting to the terrible first option?