I was thinking… if I have the “env”/credentials file on the server, anyone hacking my server could find that file and then run purge/forget commands with restic, and therefore clearing all the backups I have from that server.
Even if I don’t have the file always living on the server, and only when the backup runs, there’s still a risk that the hacker could find it while the backup runs.
Is there a way we could have a separate credential/user that only has permission to create a snapshot, but no permissions to forget/purge or do anything else to existing snapshots?
Happy to know your opinion on what best practices are usually followed to prevent disasters of backups being compromised together with the server being hacked.
Yes you can! Since you’re using AWS, here is my answer to a similar question.
There is a small catch, one can still replace files with empty files and create a lot of snapshots. That’s only a problem if you’re doing forget/prune automatically though.