First I’m fairly new with restic and IT security, so I hope my questions are not too dumb.
I have a machine at home, that is exposed to the internet through a DMZ. It hosts a NextCloud instance. I want to backup the data on that machine to onedrive using rclone/restic.
Solution 1:
Using rclone/restic directly on that machine, with the usual setup and regular backup. My question is, if that machine gets compromised/hacked, are there any risks of me losing my data present on my OneDrive backup ? In other words, are my fear legitimate ? My restic password is saved in /etc/environement, as cronjob won’t work otherwise.
Solution 2:
I could use rclone to mount Nextcloud on another safe/isolated machine. I could also mount onedrive there, and then regularly backup from one to the other.
Which solution do you believe is safer ?
Happy to be told of another alternative as well, I’m here to learn and get help.
Thanks,
If the machine is able to delete data in a backup so is an attacker. Unless OneDrive offers some way to prevent data deletion I don’t know about.
If an attacker cannot compromise the isolated machine then that’s probably the safest option. Another way would be to setup rclone in append-only mode similar to the description at Append-only backups with restic and rclone just with onedrive as target and not a local repository.
Please don’t. Either store the password in a file that is only readable by the proper user and use --password-file filename as parameter for restic. Or create a wrapper script which sets the proper environment variables.
Actually the restrict of commands won’t work I believe.
It restricts command a user can run when ssh-ing to a remote server.
I wasn’t planning on letting my DMZ machine to ssh to my safe/lan network. It’s actually the safe lan/machine that would ssh to DMZ to backup the data. That way no restic/rclone is on the machine that could be compromised